CVE-2019-18935 PoC — Progress Telerik UI for ASP.NET AJAX 代码问题漏洞

Source

https://github.com/ekkoo-z/CVE-2019-18935-bypasswaf

Associated Vulnerability

Title:Progress Telerik UI for ASP.NET AJAX 代码问题漏洞 (CVE-2019-18935)
Description:Progress Telerik UI for ASP.NET AJAX是一款HTML编辑器。 Progress Telerik UI for ASP.NET AJAX 2019.3.1023及之前版本中的‘RadAsyncUpload’函数存在代码问题漏洞。远程攻击者可借助特制请求利用该漏洞在w3wp.exe进程上下文中执行任意代码。

Readme

# CVE-2019-18935-bypasswaf
修改原项目：https://github.com/noperator/CVE-2019-18935  
1. 攻击恶意payload从cookie中传入  
2. metadata数据以加密接口传入并反序列化
3. 默认代理127.0.0.1:8080
4. 默认攻击负载为哥斯拉内存马 密码：pass key AES_base64加密器
想使用自己的内存马逻辑可参考该项目：  
https://github.com/dust-life/CVE-2019-18935-memShell


使用命令: python CVE-2019-18935.py -v xxxx  -u https://xxxxxx/Telerik.Web.UI.WebResource.axd -f c:\\users\\public  -p gmemShell.dll

提示下图一般为利用成功  
<img width="349" height="268" alt="图片" src="https://github.com/user-attachments/assets/27c1e580-846c-4084-94e0-30588d6a2981" />

File Snapshot


 [4.0K]  /data/pocs/09dc50818aa49b3a77ef94c9bd2116a3dcbcf7b1
├── [ 10K]  exp.py
├── [ 96K]  gmemShell.dll
├── [4.0K]  RAU_crypto
│   ├── [ 11K]  LICENSE
│   ├── [ 14K]  RAU_crypto.py
│   └── [4.4K]  README.md
├── [ 717]  README.md
└── [  22]  requirements.txt

1 directory, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!