shell bypass 403
UnknownSec Shell
:
/
usr
/
lib
/
Acronis
/
BackupAndRecovery
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
create_hosting_panel_client.py
#!/usr/sbin/acropsh from argparse import ArgumentParser import subprocess import base64 import json import uuid import sys import os import xml.etree.ElementTree as ET try: from urllib.parse import urlencode from urllib.request import urlopen, Request from urllib.error import HTTPError except ImportError: from urllib import urlencode from urllib2 import urlopen, Request, HTTPError class ClientCreator: def __init__(self, cred1, cred2, bearer_token, ve_ids): self.cred1 = cred1 self.cred2 = cred2 self.bearer_token = bearer_token self.group_id = '' self.tenant_id = '' self.ve_ids = ve_ids self.headers = {} self.dc_url = '' self.mc_url = '' def run(self): print('\nConnecting to the Cyber Protect service...') try: self.identify_url_and_group() except Exception as e: print("Failed to identify agent registration details, please confirm the agent is registered and try again") sys.exit() if not self.bearer_token: self.dc_login() print('Successfully authenticated with the Cyber Protection service.') else: self.headers = {'Authorization': 'Bearer {}'.format(self.bearer_token), 'Content-Type': 'application/json'} self.group_to_tenant() self.id_vz_ve_to_process() self.process_api_clients() def identify_url_and_group(self): parts = subprocess.check_output(['aakore', 'info']).decode('utf-8').strip().split('cloud server: ')[1].split(' ') self.dc_url = parts[0] self.mc_url = '{}/api/2/'.format(self.dc_url) self.group_id = parts[-1] def dc_login(self): is_client_auth = False try: uuid.UUID(str(self.cred1)) is_client_auth = True except: pass try: if not is_client_auth: payload = {'grant_type': 'password', 'username': self.cred1, 'password': self.cred2} login_response = urlopen(Request('{}idp/token'.format(self.mc_url), data=urlencode(payload).encode('utf-8'))) else: payload = {'grant_type': 'client_credentials'} req = Request('{}idp/token'.format(self.mc_url), data=urlencode(payload).encode('utf-8')) req.add_header("Authorization", "Basic {}".format(base64.b64encode('{}:{}'.format(self.cred1, self.cred2).encode('utf-8')).decode('utf-8'))) login_response = urlopen(req) except HTTPError as e: if 'totp_required' in e.read().decode('utf-8'): totp_code = input( '\nThis account is protected with two-factor authentication. Please enter the TOTP code: ') login_response = urlopen(Request('{}idp/token'.format(self.mc_url), data=urlencode( {'grant_type': 'password', 'username': self.cred1, 'password': self.cred2, 'totp_code': totp_code} ).encode('utf-8'))) if login_response.getcode() != 200: print( "Failed to obtain an access token. Please check your credentials and try again.") sys.exit() else: raise e except Exception as e: print("Failed to create an access token: {}".format(e)) sys.exit() if login_response.getcode() != 200: if json.loads(login_response.read().decode('utf-8')).get("error") == "totp_required": totp_code = input( '\nThis account is protected with two-factor authentication. Please enter the TOTP code: ') login_response = urlopen(Request('{}idp/token'.format(self.mc_url), data=urlencode( {'grant_type': 'password', 'username': self.username, 'password': self.password, 'totp_code': totp_code} ).encode('utf-8'))) if login_response.getcode() != 200: print( "Failed to obtain an access token. Please check your credentials and try again.") sys.exit() else: print("Failed to obtain an access token. Please check your credentials and try again.") sys.exit() self.headers = {'Authorization': 'Bearer {}'.format(json.loads(login_response.read().decode('utf-8')).get('access_token', '')), 'Content-Type': 'application/json'} def group_to_tenant(self): group_req = Request('{}/api/1/groups/{}'.format(self.dc_url, self.group_id), None, self.headers) self.tenant_id = json.loads(urlopen(group_req).read().decode('utf-8')).get('uuid') def id_vz_ve_to_process(self): if self.ve_ids: self.ve_ids = self.ve_ids.split(',') return else: self.ve_ids = [] if os.path.isdir("/vz/root/"): try: for line in subprocess.check_output(['prlctl', 'list', '-o', 'uuid', '-H']).decode('utf-8').splitlines(): self.ve_ids.append(line.strip().strip('{}')) except FileNotFoundError: return def process_api_clients(self): if self.ve_ids: for ve in self.ve_ids: try: self.process_api_client(ve) except Exception as err: print("Failed to create client for VE {}: {}".format(ve, err)) else: try: self.process_api_client() except Exception as err: print("Failed to create an agent client or save it to file. {}".format(err)) def process_api_client(self, ve_id=None): plugin_srv_path = self.get_secret_file_path(ve_id) if not plugin_srv_path: print('Unable to detect a hosting control panel. Skipping...') return client_path = os.path.join(plugin_srv_path, 'client_secret.json') res_id = ve_id if ve_id else self.get_res_id_from_agent_config() client_id_from_existing_sw_pol = self.client_id_from_existing_sw_policy(res_id) client_data = self.get_client_creds(client_path, ve_id) if client_data: client_id = client_data.get('client_id') if client_id: if client_id_from_existing_sw_pol and client_id == client_id_from_existing_sw_pol: if self.client_exists(client_id_from_existing_sw_pol): if self.client_is_authorizable(client_data): return else: self.recreate_and_save(client_id, client_path, ve_id) return else: if self.client_exists(client_id) and self.is_hosting_panel_agent_type(client_id): self.delete_client_from_cloud(client_id) if client_id_from_existing_sw_pol and self.client_exists(client_id_from_existing_sw_pol): self.recreate_and_save(client_id_from_existing_sw_pol, client_path, ve_id) return self.create_client_and_save(client_path, ve_id, client_id_from_existing_sw_pol) def get_client_creds(self, client_path, ve_id=None): if not ve_id: try: with open(client_path) as client_file: return json.load(client_file) except: return {} else: try: return json.loads(subprocess.check_output(['prlctl', 'exec', ve_id, 'cat', client_path, '2>/dev/null']).decode('utf-8').strip()) except subprocess.CalledProcessError: return {} def client_exists(self, client_id): client_request = Request('{}/api/2/clients/{}'.format(self.dc_url, client_id), None, self.headers) try: return urlopen(client_request).getcode() == 200 except HTTPError: return False def client_is_authorizable(self, client_data): payload = {'grant_type': 'client_credentials'} req = Request('{}idp/token'.format(self.mc_url), data=urlencode(payload).encode('utf-8')) req.add_header("Authorization", "Basic {}".format(base64.b64encode('{}:{}'.format(client_data.get('client_id'), client_data.get('client_secret')).encode('utf-8')).decode('utf-8'))) try: return urlopen(req).getcode() == 200 except HTTPError: return False def create_client_and_save(self, path, ve_id=None, client_id=None): client_data = self.create_client(ve_id, client_id) try: self.save_client(client_data, path, ve_id) except Exception as e: self.delete_client_from_cloud(client_data['client_id']) raise e def recreate_and_save(self, client_id, path, ve_id=None): self.delete_client_from_cloud(client_id) self.create_client_and_save(client_id, path, ve_id) def check_file_exists(self, path, ve_id=None): if not ve_id: return os.path.exists(path) try: subprocess.check_output(['prlctl', 'exec', ve_id, 'ls', path]) return True except subprocess.CalledProcessError: return False def get_res_id_from_agent_config(self): tree = ET.parse('/etc/Acronis/BackupAndRecovery.config') root = tree.getroot() return root.findall(".//value[@name='InstanceID']")[0].text.replace('"','') def compile_client_name(self, ve_id=None): if not ve_id: return "Instance ID: {}".format(self.get_res_id_from_agent_config()) else: return "Virtuozzo Instance ID: {}".format(ve_id.upper()) def is_hosting_panel_agent_type(self, client_id): client_request = Request('{}/api/2/clients/{}'.format(self.dc_url, client_id), None, self.headers) client_response = urlopen(client_request) parsed_response = json.loads(client_response.read().decode('utf-8')) return parsed_response.get('data', {}).get('agent_type', '') == 'hosting_panel' def client_id_from_existing_sw_policy(self, ve_id): if not ve_id: return None app_request = Request( '{}/api/policy_management/v4/applications?context_id={}&policy_type=policy.backup.machine'.format(self.dc_url, ve_id), None, self.headers ) app_response = urlopen(app_request) parsed_app_response = json.loads(app_response.read().decode('utf-8')) for comp_app in parsed_app_response.get('items', []): for app in comp_app: if 'policy.backup.' in app.get('policy', {}).get('type', ''): pol_request = Request( '{}/api/policy_management/v4/policies/{}'.format(self.dc_url, app.get('policy', {}).get('id')), None, self.headers ) pol_response = urlopen(pol_request) parsed_pol_response = json.loads(pol_response.read().decode('utf-8')) policy = parsed_pol_response.get('policy', [])[0] if 'client_id' in policy: return policy['client_id'] return None def create_client(self, ve_id=None, client_id=None): creation_request_body = { "type": "agent", "tenant_id": self.tenant_id, "data": { "client_name": self.compile_client_name(ve_id), "agent_type": "hosting_panel" }, "token_endpoint_auth_method": "client_secret_basic" } if client_id: creation_request_body['client_id'] = client_id creation_request = Request( '{}/bc/api/account_server/v2/clients'.format(self.dc_url), json.dumps(creation_request_body).encode('utf-8'), self.headers ) creation_response = urlopen(creation_request) if creation_response.getcode() == 201: parsed_response = json.loads(creation_response.read().decode('utf-8')) return {key:parsed_response[key] for key in ['client_id', 'client_secret']} else: raise Exception("Internal error occurred while creating an agent client: {}".format( creation_response.getcode())) def delete_client_from_cloud(self, client_id): client_deletion_request = Request('{}/api/2/clients/{}'.format(self.dc_url, client_id), None, self.headers) client_deletion_request.get_method = lambda: 'DELETE' client_deletion_response = urlopen(client_deletion_request) if client_deletion_response.getcode() != 204: print("Failed to delete API client {} from the Cyber Protection service.".format(client_id)) def get_secret_file_path(self, ve): paths = [ '/usr/local/cpanel/base/3rdparty/acronisbackup/srv', '/usr/local/directadmin/plugins/acronisbackup/srv', '/usr/local/psa/var/modules/acronis-backup/srv' ] if not ve: for path in paths: if os.path.isdir(path): return path else: for path in paths: try: subprocess.check_output(['prlctl', 'exec', ve, 'ls', path, '>/dev/null', '2>&1']) return path except subprocess.CalledProcessError: pass return None def save_client(self, client_data, path, ve_id): client_data['url'] = self.dc_url client_secret_file_content = json.dumps(client_data, sort_keys=True, separators=(',', ':')) if not ve_id: try: with open(path, 'w') as f: f.write(client_secret_file_content) os.chmod(path, 0o660) except Exception as e: raise Exception( "Failed to save credentials to file {}".format(path)) else: try: subprocess.check_output(['prlctl', 'exec', ve_id, 'echo', "'{}'".format(client_secret_file_content), '>', path]) except Exception as e: raise Exception( "Failed to save credentials for VE {}".format(ve_id)) if self.check_file_exists(path, ve_id): print("Agent client was successfully created{}".format(' for ' + ve_id if ve_id else '.')) def main(args): cred1 = '' cred2 = os.environ.get('ACRONIS_HOSTING_SECRET', '') bearer_token = os.environ.get('ACRONIS_HOSTING_BEARER_TOKEN', '') if args.username: cred1 = args.username if not cred2 and args.password_file: with open(args.password_file) as f: cred2 = f.readline().strip() if args.client_id: cred1 = args.client_id if not cred2 and args.secret_file: with open(args.secret_file) as f: cred2 = f.readline().strip() if not cred1 and not cred2 and not bearer_token: print('Authentication with the Cyber Protection service is required. \ Please use either --username and --password-file or --client-id and --secret-file.') sys.exit() cl_creator = ClientCreator(cred1, cred2, bearer_token, args.ve_id) cl_creator.run() print('Done! Good bye.') def parse_arguments(): parser = ArgumentParser( description='This script generates unique API Clients necessary to ensure the connectivity of hosting control panel integrations with Acronis Cyber Protect Cloud. Make sure to run this script on the host where the protection agent is installed. This applies to both agent-based and agentless deployments.') parser.add_argument('-u', '--username', help='Account name (login) used during the protection agent installation and registration process.') parser.add_argument('-p', '--password-file', help='Path to the file with the password.') parser.add_argument('-i', '--client-id', help='Client ID used during the protection agent installation and registration process.') parser.add_argument('-s', '--secret-file', help='Path to the file with the Client Secret.') parser.add_argument('-c', '--ve-id', help='Comma-separated list of virtual environment (container, virtual machine) IDs. If not defined, all virtual environments will be processed.') return parser.parse_args() if __name__ == '__main__': main(parse_arguments())
© 2025 UnknownSec