MCPcopy Index your code
hub / github.com/USArmyResearchLab/Dshell / __init__

Method __init__

dshell/plugins/http/joomla.py:13–46  ·  view source on GitHub ↗
(self)

Source from the content-addressed store, hash-verified

11
12class DshellPlugin(HTTPPlugin):
13 def __init__(self):
14 super().__init__(
15 name="Joomla CVE-2015-8562",
16 author="bg",
17 description='detect attempts to enumerate MS15-034 vulnerable IIS servers',
18 bpf='tcp and (port 80 or port 8080 or port 8000)',
19 output=AlertOutput(label=__name__),
20 optiondict={
21 "raw_payload": {
22 "action": "store_true",
23 "help": "return the raw payload (do not attempt to decode chr encoding)",
24 }
25 },
26 longdescription='''
27Detect and dissect malformed HTTP headers targeting Joomla
28
29https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562
30
31Usage Examples:
32---------------
33
34Dshell> decode -d joomla *.pcap
35[Joomla CVE-2015-8562] 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> system('touch /tmp/2'); **
36
37The module assumes the cmd payload is encoded using chr. To turn this off run:
38
39Dshell> decode -d joomla --joomla_raw_payload *.pcap
40[Joomla CVE-2015-8562] 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); **
41''&#x27;,
42 )
43
44 # Indicator of (potential) compromise
45 self.ioc = "JFactory::getConfig();exit"
46 self.ioc_bytes = bytes(self.ioc, "ascii")
47
48 def attempt_decode(self, cmd):
49 ptext = ''

Callers

nothing calls this directly

Calls 1

AlertOutputClass · 0.90

Tested by

no test coverage detected